Improper Restriction of XML External Entity Reference
In DiffPlug Spotless (library and Maven plugin), the XML parser would resolve external entities over both HTTP and HTTPS and ignores the resolveExternalEntities setting. This allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.