logo

Database

XML injection (XXE) In net.sourceforge.pmd:pmd-core

Description

Improper Restriction of XML External Entity Reference in PMD PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-77222. NVD-2019-77223. OSV-2019-77224. GCVE-2019-7722

References

1. https://github.com/pmd/pmd/issues/1650

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.