1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-7V35-QWWJ-P98G

[MAVEN:GHSA-7V35-QWWJ-P98G] Improper Restriction of XML External Entity Reference in DiffPlug Spotless

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Package Affected Version
pkg:maven/com.diffplug.spotless/spotless-plugin-gradle < 3.20.0
pkg:maven/com.diffplug.spotless/spotless-maven-plugin < 1.20.0
Package Fixed Version
pkg:maven/com.diffplug.spotless/spotless-plugin-gradle = 3.20.0
pkg:maven/com.diffplug.spotless/spotless-maven-plugin = 1.20.0
ID
MAVEN:GHSA-7V35-QWWJ-P98G
Severity
high
URL
https://github.com/advisories/GHSA-7v35-qwwj-p98g
Published
2019-07-05T21:07:40
(5 years ago)
Modified
2023-01-28T05:00:54
(19 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/com.diffplug.spotless/spotless-plugin-gradle com.diffplug.spotless spotless-plugin-gradle < 3.20.0
Fixed pkg:maven/com.diffplug.spotless/spotless-plugin-gradle com.diffplug.spotless spotless-plugin-gradle = 3.20.0
Affected pkg:maven/com.diffplug.spotless/spotless-maven-plugin com.diffplug.spotless spotless-maven-plugin < 1.20.0
Fixed pkg:maven/com.diffplug.spotless/spotless-maven-plugin com.diffplug.spotless spotless-maven-plugin = 1.20.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date