CVE-2024-38374: 
Java vulnerability analysis and mitigation

The CycloneDX core module, which provides model representation and utilities for Software Bill of Materials (SBOM), contains a vulnerability in versions prior to 9.0.4. Before deserializing CycloneDX Bill of Materials in XML format, the library uses XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate these XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection (GitHub Advisory).

The vulnerability exists in the XML parsing functionality where the DocumentBuilderFactory was not properly configured with security restrictions when evaluating XPath expressions. This configuration gap allows for XXE injection attacks during the schema version detection process. The issue has been assigned a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, no privileges required, and high impact on confidentiality (GitHub Advisory).

The XXE injection vulnerability can be exploited to exfiltrate local file content or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application. This could lead to unauthorized access to sensitive data and potential system compromise (GitHub Advisory).

The vulnerability has been fixed in cyclonedx-core-java version 9.0.4. For users unable to upgrade immediately, a potential workaround is to reject XML documents before passing them to cyclonedx-core-java for parsing, particularly if incoming CycloneDX BOMs are known to be in JSON format. The fix implements proper security configurations for the DocumentBuilderFactory following OWASP recommendations (GitHub PR).