Description
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Remediation
References
https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter
https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter
https://github.com/diffplug/spotless/issues/358
https://github.com/diffplug/spotless/pull/369
https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E
Related Vulnerabilities
CVE-2023-47327 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web
CVE-2016-10735 Vulnerability in maven package fr.norad.bootstrap:bootstrap
CVE-2020-24616 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2018-3745 Vulnerability in maven package org.webjars.bowergithub.node-browser-compat:atob
CVE-2022-24821 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-skinx