Description
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Remediation
References
https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter
https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter
https://github.com/diffplug/spotless/pull/369
https://github.com/diffplug/spotless/issues/358
https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E
Related Vulnerabilities
CVE-2022-1291 Vulnerability in maven package org.webjars.bowergithub.hhurz:tableexport.jquery.plugin
CVE-2022-37262 Vulnerability in npm package steal
CVE-2017-5929 Vulnerability in maven package ch.qos.logback:logback-classic
CVE-2018-1000195 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-34115 Vulnerability in maven package io.dataease:dataease-plugin-common