PT-2019-19891 · Diffplug · Diffplug Spotless

Published

2019-03-15

Updated

2021-07-02

CVE-2019-9843

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions DiffPlug Spotless versions prior to 1.20.0 (library and Maven plugin) DiffPlug Spotless versions prior to 3.20.0 (Gradle plugin)

Description The issue allows disclosure of file contents to a man-in-the-middle (MITM) attacker when a victim performs a spotlessApply operation on an untrusted XML file. This is due to the XML parser resolving external entities over both HTTP and HTTPS and not respecting the resolveExternalEntities setting.

Recommendations For versions prior to 1.20.0 (library and Maven plugin), update to version 1.20.0 or later. For versions prior to 3.20.0 (Gradle plugin), update to version 3.20.0 or later.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2019-9843

GHSA-7V35-QWWJ-P98G

Affected Products

Diffplug Spotless

PT-2019-19891 · Diffplug · Diffplug Spotless

CVE-2019-9843

Weakness Enumeration

Related Identifiers

Affected Products

References · 9