QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9843

Published: Mar 15, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter

x_refsource_MISC

https://github.com/diffplug/spotless/issues/358

x_refsource_MISC

https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter

x_refsource_MISC

https://github.com/diffplug/spotless/pull/369

x_refsource_MISC

[iceberg-issues] 20210701 [GitHub] [iceberg] jackye1995 opened a new pull request #2776: Build: bump up DiffPlug Spotless version

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.