Описание
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Ссылки
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Issue TrackingThird Party Advisory
- Issue TrackingThird Party Advisory
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Issue TrackingThird Party Advisory
- Issue TrackingThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.20.0 (исключая)Версия до 1.20.0 (исключая)
Одно из
cpe:2.3:a:diffplug:gradle:*:*:*:*:*:spotless:*:*
cpe:2.3:a:diffplug:maven:*:*:*:*:*:spotless:*:*
EPSS
Процентиль: 56%
0.00343
Низкий
7.5 High
CVSS3
5.1 Medium
CVSS2
Дефекты
CWE-611
Связанные уязвимости
CVSS3: 7.5
github
больше 6 лет назад
Improper Restriction of XML External Entity Reference in DiffPlug Spotless
EPSS
Процентиль: 56%
0.00343
Низкий
7.5 High
CVSS3
5.1 Medium
CVSS2
Дефекты
CWE-611