Description
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/diffplug/spotless/issues/358
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/diffplug/spotless/pull/369
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0150
EPSS Percentile
70.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (4)
com.diffplug.spotless/spotless-maven-plugin
0 - 1.20.0Maven
com.diffplug.spotless/spotless-plugin-gradle
0 - 3.20.0Maven
diffplug/gradle
< 3.20.0
diffplug/maven
< 1.20.0
Published
Jun 28, 2019
Tracked Since
Feb 18, 2026