Description

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Remediation

References

https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/pull/369

https://github.com/diffplug/spotless/issues/358

https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E

Related Vulnerabilities

CVE-2020-6460 Vulnerability in maven package org.webjars.npm:electron

CVE-2021-21252 Vulnerability in maven package org.webjars.bowergithub.jquery-validation:jquery-validation

CVE-2022-41928 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2019-14772 Vulnerability in maven package org.webjars.npm:verdaccio

CVE-2019-16538 Vulnerability in maven package org.jenkins-ci.plugins:script-security

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Release Notes Third Party Advisory Issue Tracking