Improper Restriction of XML External Entity Reference
In DiffPlug Spotless, the XML parser would resolve external entities over both HTTP and HTTPS and ignores the resolveExternalEntities setting. This could allow disclosure of file contents to a MITM attacker, if a victim performs a spotlessApply operation on an untrusted XML file.