CVE-2019-9843
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-9843
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9843.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-9843
- Aliases
- Published
- 2019-06-28T18:15:15Z
- Modified
- 2024-05-14T07:30:00.912626Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
- References
-
- https://github.com/diffplug/spotless/issues/358
- https://github.com/diffplug/spotless/pull/369
- https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter
- https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter
- https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E
Affected packages
Git / github.com/diffplug/spotless
Affected ranges
- Type
- GIT
- Repo
- https://github.com/diffplug/spotless
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
ext-eclipse-base/3.*
ext-eclipse-base/3.0.0
ext-eclipse-base/3.1.0
ext-eclipse-cdt/9.*
ext-eclipse-cdt/9.4.3
ext-eclipse-cdt/9.4.4
ext-eclipse-cdt/9.4.5
ext-eclipse-groovy/2.*
ext-eclipse-groovy/2.9.2
ext-eclipse-groovy/3.*
ext-eclipse-groovy/3.0.0
ext-eclipse-groovy/3.0.1
ext-eclipse-jdt/4.*
ext-eclipse-jdt/4.6.3
ext-eclipse-jdt/4.7.0
ext-eclipse-jdt/4.7.1
ext-eclipse-jdt/4.7.2
ext-eclipse-jdt/4.8.0
ext-eclipse-wtp/3.*
ext-eclipse-wtp/3.9.5
ext-eclipse-wtp/3.9.6
ext-eclipse-wtp/3.9.7
ext-eclipse-wtp/3.9.8
ext-greclipse/2.*
ext-greclipse/2.3.0
gradle/3.*
gradle/3.0.0
gradle/3.0.0.ALPHA
gradle/3.0.0.BETA
gradle/3.0.0.BETA2
gradle/3.0.0.BETA3
gradle/3.0.0.RC1
gradle/3.0.0.RC2
gradle/3.1.0
gradle/3.10.0
gradle/3.12.0
gradle/3.13.0
gradle/3.14.0
gradle/3.15.0
gradle/3.16.0
gradle/3.17.0
gradle/3.18.0
gradle/3.19.0
gradle/3.2.0
gradle/3.3.0
gradle/3.3.2
gradle/3.4.0
gradle/3.4.1
gradle/3.5.0
gradle/3.5.1
gradle/3.5.2
gradle/3.6.0
gradle/3.7.0
gradle/3.8.0
gradle/3.9.0
lib/1.*
lib/1.0.0
lib/1.0.0.ALPHA
lib/1.0.0.BETA
lib/1.0.0.BETA2
lib/1.0.0.BETA3
lib/1.0.0.RC1
lib/1.0.0.RC2
lib/1.1.0
lib/1.10.0
lib/1.11.0
lib/1.12.0
lib/1.13.0
lib/1.14.0
lib/1.15.0
lib/1.16.0
lib/1.17.0
lib/1.18.0
lib/1.19.0
lib/1.2.0
lib/1.3.0
lib/1.3.2
lib/1.4.0
lib/1.4.1
lib/1.5.0
lib/1.5.1
lib/1.6.0
lib/1.7.0
lib/1.8.0
lib/1.9.0
maven/1.*
maven/1.0.0.ALPHA
maven/1.0.0.BETA1
maven/1.0.0.BETA2
maven/1.0.0.BETA3
maven/1.0.0.BETA4
maven/1.0.0.BETA5
maven/1.13.0
maven/1.14.0
maven/1.15.0
maven/1.16.0
maven/1.17.0
maven/1.18.0
maven/1.19.0
v1.*
v1.0
v1.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1