CVE-2019-7722 – net.sourceforge.pmd:pmd-core

Package

Manager: maven
Name: net.sourceforge.pmd:pmd-core
Vulnerable Version: >=0 <6.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00451 pctl0.62811

Details

Improper Restriction of XML External Entity Reference in PMD PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

Metadata

Created: 2022-05-14T01:33:06Z
Modified: 2022-06-24T14:57:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-57qj-79gh-69w8/GHSA-57qj-79gh-69w8.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-57qj-79gh-69w8
Finding: F083
Auto approve: 1