Unknown · Owasp Dep-Scan · CVE-2024-50611
Name of the Vulnerable Software and Affected Versions:
CycloneDX cdxgen versions prior to 11.1.7
Description:
The issue allows execution of code contained within build-related files, such as `build.gradle.kts`, when run against an untrusted codebase. This is similar to a previously identified issue. The `cdxgen` tool is used by various applications, including OWASP dep-scan. It has been noted that this is a design limitation rather than an implementation mistake.
Recommendations:
For versions prior to 11.1.7, update to version 11.1.7 or later, which introduces a "secure mode" that uses Node.js permissions to control resource access, limiting file access and process execution.