CVE-2019-9843

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-9843
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9843.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-9843
Aliases
Published
2019-06-28T18:15:15Z
Modified
2024-10-12T05:26:42.114640Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

References

Affected packages

Git / github.com/diffplug/spotless

Affected ranges

Type
GIT
Repo
https://github.com/diffplug/spotless
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

ext-eclipse-base/3.*

ext-eclipse-base/3.0.0
ext-eclipse-base/3.1.0

ext-eclipse-cdt/9.*

ext-eclipse-cdt/9.4.3
ext-eclipse-cdt/9.4.4
ext-eclipse-cdt/9.4.5

ext-eclipse-groovy/2.*

ext-eclipse-groovy/2.9.2

ext-eclipse-groovy/3.*

ext-eclipse-groovy/3.0.0
ext-eclipse-groovy/3.0.1

ext-eclipse-jdt/4.*

ext-eclipse-jdt/4.6.3
ext-eclipse-jdt/4.7.0
ext-eclipse-jdt/4.7.1
ext-eclipse-jdt/4.7.2
ext-eclipse-jdt/4.8.0

ext-eclipse-wtp/3.*

ext-eclipse-wtp/3.9.5
ext-eclipse-wtp/3.9.6
ext-eclipse-wtp/3.9.7
ext-eclipse-wtp/3.9.8

ext-greclipse/2.*

ext-greclipse/2.3.0

gradle/3.*

gradle/3.0.0
gradle/3.0.0.ALPHA
gradle/3.0.0.BETA
gradle/3.0.0.BETA2
gradle/3.0.0.BETA3
gradle/3.0.0.RC1
gradle/3.0.0.RC2
gradle/3.1.0
gradle/3.10.0
gradle/3.12.0
gradle/3.13.0
gradle/3.14.0
gradle/3.15.0
gradle/3.16.0
gradle/3.17.0
gradle/3.18.0
gradle/3.19.0
gradle/3.2.0
gradle/3.3.0
gradle/3.3.2
gradle/3.4.0
gradle/3.4.1
gradle/3.5.0
gradle/3.5.1
gradle/3.5.2
gradle/3.6.0
gradle/3.7.0
gradle/3.8.0
gradle/3.9.0

lib/1.*

lib/1.0.0
lib/1.0.0.ALPHA
lib/1.0.0.BETA
lib/1.0.0.BETA2
lib/1.0.0.BETA3
lib/1.0.0.RC1
lib/1.0.0.RC2
lib/1.1.0
lib/1.10.0
lib/1.11.0
lib/1.12.0
lib/1.13.0
lib/1.14.0
lib/1.15.0
lib/1.16.0
lib/1.17.0
lib/1.18.0
lib/1.19.0
lib/1.2.0
lib/1.3.0
lib/1.3.2
lib/1.4.0
lib/1.4.1
lib/1.5.0
lib/1.5.1
lib/1.6.0
lib/1.7.0
lib/1.8.0
lib/1.9.0

maven/1.*

maven/1.0.0.ALPHA
maven/1.0.0.BETA1
maven/1.0.0.BETA2
maven/1.0.0.BETA3
maven/1.0.0.BETA4
maven/1.0.0.BETA5
maven/1.13.0
maven/1.14.0
maven/1.15.0
maven/1.16.0
maven/1.17.0
maven/1.18.0
maven/1.19.0

v1.*

v1.0
v1.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3

v2.*

v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1