{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34345", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.437Z", "datePublished": "2024-05-09T14:56:07.494Z", "dateUpdated": "2024-08-02T02:51:09.775Z"}, "containers": {"cna": {"title": "@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"}, {"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "tags": ["x_refsource_MISC"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"}, {"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "tags": ["x_refsource_MISC"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"}], "affected": [{"vendor": "CycloneDX", "product": "cyclonedx-javascript-library", "versions": [{"version": "= 6.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:56:07.494Z"}, "descriptions": [{"lang": "en", "value": "The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1."}], "source": {"advisory": "GHSA-38gf-rh2w-gmj7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34345", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-09T15:59:54.797606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:18.156Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.775Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"}, {"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"}, {"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.775Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34345", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-09T15:59:54.797606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T16:02:52.852Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability", "source": {"advisory": "GHSA-38gf-rh2w-gmj7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "CycloneDX", "product": "cyclonedx-javascript-library", "versions": [{"status": "affected", "version": "= 6.7.0"}]}], "references": [{"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:56:07.494Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34345", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:09.775Z", "dateReserved": "2024-05-02T06:36:32.437Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-09T14:56:07.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1."}, {"lang": "es", "value": "La librer\u00eda JavaScript CycloneDX contiene la funcionalidad principal de OWASP CycloneDX para JavaScript. En 6.7.0, las inyecciones de entidades externas XML eran posibles al ejecutar el validador XML proporcionado en entradas arbitrarias. Este problema se solucion\u00f3 en la versi\u00f3n 6.7.1."}], "id": "CVE-2024-34345", "lastModified": "2024-05-14T16:12:23.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T15:38:40.380", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"}, {"source": "security-advisories@github.com", "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"}, {"source": "security-advisories@github.com", "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}