CVE-2024-50611

Vulnerability

Analysis

CVE-2024-50611 is a code execution vulnerability in CycloneDX cdxgen versions prior to 10.10.7. When cdxgen is used to generate a Software Bill of Materials (SBOM) from an untrusted codebase, it may execute malicious code embedded in build-related files such as build.gradle.kts, a behavior similar to the previously disclosed CVE-2022-24441 [1]. The issue is characterized as a design limitation rather than an implementation mistake, meaning the tool's functionality inherently involves processing project build files in a way that can lead to code execution.

Exploitation

An attacker can exploit this by supplying a crafted codebase containing malicious build files (e.g., a Gradle build script) to cdxgen. When cdxgen processes these files during SBOM generation, the malicious code can be executed on the system running cdxgen. No authentication is required beyond the ability to provide a codebase to cdxgen, making it a high-risk scenario in automated CI/CD pipelines where cdxgen is used to scan untrusted repositories. cdxgen is also used by OWASP dep-scan, extending the potential impact [2][3].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution on the host system. This could lead to full compromise of the CI/CD environment, data exfiltration, or further lateral movement within the infrastructure. The vulnerability has a CVSS v3 score of 7.2 (High), reflecting its serious consequences.

Mitigation

The issue is addressed in cdxgen version 10.10.8 and later, as indicated by references to security fixes in subsequent releases [4]. Users are strongly advised to upgrade to the latest version of cdxgen. If immediate upgrade is not possible, it is recommended to only use cdxgen against trusted codebases and to review build files before scanning. The advisory also suggests applying similar mitigations recommended for CVE-2022-24441 [1].