CVE-2024-34345

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

CVSS 8.1 HIGHEPSS 0.9%CWE-611

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

CycloneDX · cyclonedx-javascript-library

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203 https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063 https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7