CVE-2024-38374

Name of the Vulnerable Software and Affected Versions cyclonedx-core-java versions prior to 9.0.4

Description The CycloneDX core module provides a model representation of SBOMs and utilities for creating, validating, and parsing them. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java uses XPath expressions to determine the schema version. The DocumentBuilderFactory used to evaluate these XPath expressions was not configured securely, leading to a potential XML External Entity (XXE) injection issue. XXE injection can be exploited to extract local file content or perform Server Side Request Forgery (SSRF) to access adjacent infrastructure. The provided Proof of Concept (PoC) demonstrates the potential for a connection error when attempting to access a non-existent file via a crafted XML document.

Recommendations Update cyclonedx-core-java to version 9.0.4 or later.