CVE-2019-9843

Name of the Vulnerable Software and Affected Versions DiffPlug Spotless versions prior to 1.20.0 (library and Maven plugin) DiffPlug Spotless versions prior to 3.20.0 (Gradle plugin)

Description The issue allows disclosure of file contents to a man-in-the-middle (MITM) attacker when a victim performs a spotlessApply operation on an untrusted XML file. This is due to the XML parser resolving external entities over both HTTP and HTTPS and not respecting the resolveExternalEntities setting.

Recommendations For versions prior to 1.20.0 (library and Maven plugin), update to version 1.20.0 or later. For versions prior to 3.20.0 (Gradle plugin), update to version 3.20.0 or later.