CVE-2024-34345

high

Description

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

References

https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063

https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

Details

Source: Mitre, NVD

Published: 2024-05-14

Updated: 2024-05-14

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High