Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war
CVE-2010-2076 Vulnerability in maven package org.apache.axis2:axis2-kernel
CVE-2023-27162 Vulnerability in maven package org.openapitools:openapi-generator-project
CVE-2022-26585 Vulnerability in maven package net.mingsoft:ms-mcms