Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2022-21129 Vulnerability in npm package nemo-appium
CVE-2020-7607 Vulnerability in npm package gulp-styledocco
CVE-2021-23335 Vulnerability in npm package is-user-valid
CVE-2022-34305 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2022-23464 Vulnerability in maven package com.nepxion:discovery-plugin-admin-center