Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2023-29205 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-xwiki
CVE-2020-13654 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-49487 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-33496 Vulnerability in maven package com.xuxueli:xxl-rpc-core