Improper Restriction of XML External Entity Reference in PMD
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Feb 11, 2019
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jun 24, 2022
Last updated
Jan 27, 2023
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
References