Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2020-7672 Vulnerability in npm package mosc
CVE-2017-1000427 Vulnerability in maven package org.webjars:marked
CVE-2022-21186 Vulnerability in npm package @acrontum/filesystem-template
CVE-2020-28191 Vulnerability in maven package org.togglz:togglz-console
CVE-2023-40816 Vulnerability in maven package org.opencrx:opencrx-core-models