Description
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
Remediation
References
https://github.com/pmd/pmd/issues/1650
Related Vulnerabilities
CVE-2023-49376 Vulnerability in maven package com.jfinal:jfinal
CVE-2021-25945 Vulnerability in npm package js-extend
CVE-2020-6459 Vulnerability in maven package org.webjars.npm:electron
CVE-2020-28268 Vulnerability in npm package controlled-merge
CVE-2017-18869 Vulnerability in maven package org.webjars.npm:chownr