Description

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Remediation

References

https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/issues/358

https://github.com/diffplug/spotless/pull/369

https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E

Related Vulnerabilities

CVE-2019-10279 Vulnerability in maven package org.jenkins-ci.plugins:jenkins-reviewbot

CVE-2019-1003078 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2017-16037 Vulnerability in npm package gomeplus-h5-proxy

CVE-2023-5654 Vulnerability in npm package react-devtools

CVE-2020-2137 Vulnerability in maven package org.jenkins-ci.plugins:timestamper

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Release Notes Third Party Advisory Issue Tracking