CVE-2019-9843: Improper Restriction of XML External Entity Reference

June 28, 2019 (updated July 5, 2019)

In DiffPlug Spotless (library and Maven plugin), the XML parser would resolve external entities over both HTTP and HTTPS and ignores the resolveExternalEntities setting. This allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

References

github.com/diffplug/spotless/issues/358
github.com/diffplug/spotless/pull/369
nvd.nist.gov/vuln/detail/CVE-2019-9843

Detect and mitigate CVE-2019-9843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →