logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2019-10782 com.puppycrawl.tools:checkstyle

Package

Manager: maven
Name: com.puppycrawl.tools:checkstyle
Vulnerable Version: >=0 <8.29

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00488 pctl0.64494

Details

XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled)) Due to an incomplete fix for [CVE-2019-9658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658), checkstyle was still vulnerable to XML External Entity (XXE) Processing. ### Impact #### User: Build Maintainers This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure. #### User: Static Analysis as a Service If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch. Note from the discoverer of the original CVE-2019-9658: > While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags: > ``` > --net=none \ > --privileged=false \ > --cap-drop=ALL > ``` > Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF. > \- [Jonathan Leitschuh](https://twitter.com/jlleitschuh) ### Patches _Has the problem been patched? What versions should users upgrade to?_ Patched, will be released with version 8.29 at 26 Jan 2020. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No workaround are available ### References - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) - GitHub Issue https://github.com/checkstyle/checkstyle/issues/7468 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/checkstyle/checkstyle/issues

Metadata

Created: 2020-01-31T18:00:07Z
Modified: 2021-08-19T16:49:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-763g-fqq7-48wg/GHSA-763g-fqq7-48wg.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-763g-fqq7-48wg
Finding: F083
Auto approve: 1