CVE-2025-23215: PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext
(updated )
While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central.
References
- github.com/advisories/GHSA-88m4-h43f-wx84
- github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/net/sourceforge/pmd/pmd-designer/README.md
- github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/net/sourceforge/pmd/pmd-designer/pmd-designer-7.0.0.diffoscope
- github.com/jvm-repo-rebuild/reproducible-central?tab=readme-ov-file
- github.com/pmd/pmd
- github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362
- github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891
- github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84
- nvd.nist.gov/vuln/detail/CVE-2025-23215
Detect and mitigate CVE-2025-23215 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →