GHSA-57qj-79gh-69w8

Source

https://github.com/advisories/GHSA-57qj-79gh-69w8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-57qj-79gh-69w8/GHSA-57qj-79gh-69w8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-57qj-79gh-69w8

Aliases

CVE-2019-7722

Published

2022-05-14T01:33:06Z

Modified

2023-11-08T04:01:39.222625Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in PMD

Details

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

Database specific

{
    "nvd_published_at": "2019-02-11T14:29:00Z",
    "github_reviewed_at": "2022-06-24T14:57:57Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Maven / net.sourceforge.pmd:pmd-core

Package

Name: net.sourceforge.pmd:pmd-core; View open source insights on deps.dev
Purl: pkg:maven/net.sourceforge.pmd/pmd-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.0

Affected versions

5.*

5.2.0

5.2.1

5.2.2

5.2.3

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.6.0

5.6.1

5.7.0

5.8.0

5.8.1

Database specific

{
    "last_known_affected_version_range": "<= 5.8.1"
}