CVE-2019-9843: Improper Restriction of XML External Entity Reference

July 5, 2019 (updated July 6, 2021)

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn’t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

References

github.com/advisories/GHSA-7v35-qwwj-p98g
github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md
github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md
github.com/diffplug/spotless/issues/358
github.com/diffplug/spotless/pull/369
nvd.nist.gov/vuln/detail/CVE-2019-9843

Detect and mitigate CVE-2019-9843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →