CycloneDX CycloneDX-Core-Java XML External Entity Injection Vulnerability

A vulnerability allowing XML External Entity (XXE) injection has been identified in the CycloneDX core module for Java, specifically in versions 2.1.0 prior to 11.0.1. The issue arises because the XML Validator used by the library was not securely configured, leaving it open to XXE attacks during validation of XML Bill of Materials (BOM). This vulnerability could be exploited to perform various attacks, such as denial-of-service, server-side request forgery, or other system impacts.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which can lead to various attacks, including denial-of-service, server-side request forgery, and other system impacts.

Reproduction

To reproduce this vulnerability, use CycloneDX core Java version 2.1.0 prior to 11.0.1 and validate an XML BOM that contains external entity references. The validation process will be vulnerable to XXE injection, allowing for exploitation.

Remediation

The vulnerability has been fixed in CycloneDX core Java version 11.0.1. Users can also reject XML documents before validation as a workaround, especially if incoming CycloneDX BOMs are known to be in JSON format.