AVID-2026-R1502

Description

Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java (CVE-2024-38374)

Details

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

Reason for inclusion in AVID: CVE-2024-38374 is an XXE vulnerability in CycloneDX core Java (SBOM parsing). SBOM tooling is a key component of software supply chain management, including for AI systems. The issue is a security vulnerability in a tool used to build/run AI software supply chains, with a high-severity CVSS and a public fix version. The report provides clear evidence (CVE id, affected artifact, remediation) to support inclusion in AVID curation.

References

• NVD entry
• https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
• https://github.com/CycloneDX/cyclonedx-core-java/pull/434
• https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d

Affected or Relevant Artifacts

• Developer: CycloneDX
• Deployer: CycloneDX
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-28
• Version: 0.3.3
• AVID Entry