Main Vulnerability Database SB20240624137

SB20240624137 - XML External Entity injection in dependency-track

Published: June 24, 2024 Updated: April 23, 2026

Security Bulletin ID SB20240624137

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XML External Entity injection (CVE-ID: CVE-2024-38515)

The vulnerability allows a remote user to disclose sensitive information or cause a denial of service.

The vulnerability exists due to improper restriction of XML external entity references in the CycloneDX BOM XML parsing and schema version detection logic when processing uploaded CycloneDX BOMs in XML format. A remote user can upload a specially crafted XML BOM to disclose sensitive information or cause a denial of service.

Uploading BOMs requires authentication and the BOM_UPLOAD permission. Information disclosure primarily depends on XML parsing errors containing portions of targeted files.

Remediation

Install update from vendor's website.

SB20240624137 - XML External Entity injection in dependency-track

Breakdown by Severity

Description

Remediation

References

Please verify you're human