Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2023-32314 Vulnerability in maven package org.webjars.npm:vm2
CVE-2022-43401 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2021-25948 Vulnerability in npm package expand-hash
CVE-2021-24122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2022-29648 Vulnerability in maven package com.jflyfox:jflyfox_jfinal