CVE-2024-50611

Name of the Vulnerable Software and Affected Versions: CycloneDX cdxgen versions prior to 11.1.7

Description: The issue allows execution of code contained within build-related files, such as build.gradle.kts, when run against an untrusted codebase. This is similar to a previously identified issue. The cdxgen tool is used by various applications, including OWASP dep-scan. It has been noted that this is a design limitation rather than an implementation mistake.

Recommendations: For versions prior to 11.1.7, update to version 11.1.7 or later, which introduces a "secure mode" that uses Node.js permissions to control resource access, limiting file access and process execution.