Description

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Remediation

References

https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter

https://github.com/diffplug/spotless/issues/358

https://github.com/diffplug/spotless/pull/369

https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E

Related Vulnerabilities

CVE-2020-28496 Vulnerability in npm package three

CVE-2022-22965 Vulnerability in maven package org.springframework:spring-webflux

CVE-2019-13343 Vulnerability in maven package com.butor:portal

CVE-2021-21169 Vulnerability in npm package electron

CVE-2017-16114 Vulnerability in maven package org.webjars.bower:marked

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Release Notes Third Party Advisory Issue Tracking