JavaScript Library Vulnerable to XML External Entity Injection
CVE-2024-34345

8.1HIGH

Key Information:

Vendor: Cyclonedx
Status: Cyclonedx-javascript-library
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-34345?

The CycloneDX JavaScript library, a critical component for users relying on OWASP’s software supply chain, has a vulnerability that exposes it to XML External Entity (XXE) injection risks in version 6.7.0. This flaw occurs when the provided XML Validator processes arbitrary input, potentially enabling attackers to compromise the application's security. This issue has been addressed and resolved in version 6.7.1, highlighting the importance of maintaining up-to-date software to ensure robust security practices.

Affected Version(s)

cyclonedx-javascript-library = 6.7.0

References

https://github.com/CycloneDX/cyclonedx-javascript-library...

x_refsource_CONFIRM

https://github.com/CycloneDX/cyclonedx-javascript-library...

x_refsource_MISC

https://github.com/CycloneDX/cyclonedx-javascript-library...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 2, 2024

Cyclonedx

What is CVE-2024-34345?

Affected Version(s)

References

CVSS V3.1

Timeline