XML External Entity injection in dependency-track - CVE-2024-38515
Published: June 24, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127084
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-38515
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
dependency-track
dependency-track
Software vendor:
DependencyTrack
DependencyTrack
Description
The vulnerability allows a remote user to disclose sensitive information or cause a denial of service.
The vulnerability exists due to improper restriction of XML external entity references in the CycloneDX BOM XML parsing and schema version detection logic when processing uploaded CycloneDX BOMs in XML format. A remote user can upload a specially crafted XML BOM to disclose sensitive information or cause a denial of service.
Uploading BOMs requires authentication and the BOM_UPLOAD permission. Information disclosure primarily depends on XML parsing errors containing portions of targeted files.
Remediation
Install security update from vendor's website.