Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap
CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j-core
CVE-2022-23463 Vulnerability in maven package com.nepxion:discovery-commons
CVE-2020-8124 Vulnerability in maven package org.webjars.npm:url-parse
CVE-2023-46122 Vulnerability in maven package org.scala-sbt:io_2.13