CVE-2019-7722

HIGH

PMD < 5.8.1 - XML External Entity Injection in Ruleset File Parsing

Title source: llm
STIX 2.1

Description

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/pmd/pmd/issues/1650

Scores

CVSS v3 8.1
EPSS 0.0123
EPSS Percentile 65.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (2)
net.sourceforge.pmd/pmd-core 0 - 6.0.0Maven
pmd_project/pmd < 5.8.1
Published Feb 11, 2019
Tracked Since Feb 18, 2026