CVE-2019-9843 – com.diffplug.spotless:spotless-maven-plugin

Package

Manager: maven
Name: com.diffplug.spotless:spotless-maven-plugin
Vulnerable Version: >=0 <1.20.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0035 pctl0.56757

Details

Improper Restriction of XML External Entity Reference in DiffPlug Spotless In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Metadata

Created: 2019-07-05T21:07:40Z
Modified: 2022-11-17T18:10:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-7v35-qwwj-p98g/GHSA-7v35-qwwj-p98g.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-7v35-qwwj-p98g
Finding: F083
Auto approve: 1