Description

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

Remediation

References

https://github.com/pmd/pmd/issues/1650

Related Vulnerabilities

CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2010-2076 Vulnerability in maven package org.apache.axis2:axis2-kernel

CVE-2023-27162 Vulnerability in maven package org.openapitools:openapi-generator-project

CVE-2022-26585 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.binding.vitotronic

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory