7.5

CVE-2019-9843

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiffplugGradle SwPlatformspotless Version < 3.20.0
DiffplugMaven SwPlatformspotless Version < 1.20.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.5% 0.709
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 5.1 4.9 6.4
AV:N/AC:H/Au:N/C:P/I:P/A:P
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter
Third Party Advisory
Release Notes
https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter
Third Party Advisory
Release Notes
https://github.com/diffplug/spotless/issues/358
Third Party Advisory
Issue Tracking
https://github.com/diffplug/spotless/pull/369
Third Party Advisory
Issue Tracking
https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E