Impact
Dependency-Track uses the org.cyclonedx:cyclonedx-core-java library to validate and parse CycloneDX Bill of Materials. Before parsing a BOM in XML format, cyclonedx-core-java versions before 9.0.4 leverage XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library, and in consequence Dependency-Track, vulnerable to XML External Entity (XXE) injection.
As of version 4.11.0, Dependency-Track validates uploaded BOMs against the CycloneDX schema prior to processing them. Unfortunately, the logic to determine the correct schema version for validation made the same mistake as cyclonedx-core-java, rendering it vulnerable, too.
In order to upload BOMs to Dependency-Track, clients must authenticate, and have the BOM_UPLOAD permission.
Exploitation of XXE injections for information disclosure primarily relies on error messages containing (parts of) the file being targeted for exfiltration.
Dependency-Track does not surface XML parsing errors to clients:
- With the BOM validation feature (introduced in version 4.11.0) enabled, a failure in parsing the uploaded BOM is responded to with a generic
BOM is neither valid JSON nor XML message.
- With the BOM validation feature disabled, the BOM is only parsed during asynchronous processing, at which point the client is no longer involved.
It is possible to impact availability by uploading BOMs that reference external entities on a remote system that never responds or responds slowly. This way, application threads can be kept busy waiting for responses, causing a service degradation of the Dependency-Track system.
Patches
The vulnerability has been fixed in Dependency-Track version 4.11.4.
Workarounds
- The import of BOMs can be disabled completely in the administration panel, via Configuration -> BOM Formats -> Enable CycloneDX.
- Review which teams and users have the
BOM_UPLOAD permission, potentially revoking it until a a fixed version is deployed.
- Review and potentially revoke API keys that haven't been used in a while.
References
Impact
Dependency-Track uses the
org.cyclonedx:cyclonedx-core-javalibrary to validate and parse CycloneDX Bill of Materials. Before parsing a BOM in XML format,cyclonedx-core-javaversions before 9.0.4 leverage XPath expressions to determine the schema version of the BOM. TheDocumentBuilderFactoryused to evaluate XPath expressions was not configured securely, making the library, and in consequence Dependency-Track, vulnerable to XML External Entity (XXE) injection.As of version 4.11.0, Dependency-Track validates uploaded BOMs against the CycloneDX schema prior to processing them. Unfortunately, the logic to determine the correct schema version for validation made the same mistake as
cyclonedx-core-java, rendering it vulnerable, too.In order to upload BOMs to Dependency-Track, clients must authenticate, and have the
BOM_UPLOADpermission.Exploitation of XXE injections for information disclosure primarily relies on error messages containing (parts of) the file being targeted for exfiltration.
Dependency-Track does not surface XML parsing errors to clients:
BOM is neither valid JSON nor XMLmessage.It is possible to impact availability by uploading BOMs that reference external entities on a remote system that never responds or responds slowly. This way, application threads can be kept busy waiting for responses, causing a service degradation of the Dependency-Track system.
Patches
The vulnerability has been fixed in Dependency-Track version 4.11.4.
Workarounds
BOM_UPLOADpermission, potentially revoking it until a a fixed version is deployed.References