GSD-2019-9843
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-9843",
"description": "In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\u0027t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.",
"id": "GSD-2019-9843"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-9843"
],
"details": "In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\u0027t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.",
"id": "GSD-2019-9843",
"modified": "2023-12-13T01:23:47.405408Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9843",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\u0027t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter",
"refsource": "MISC",
"url": "https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter"
},
{
"name": "https://github.com/diffplug/spotless/issues/358",
"refsource": "MISC",
"url": "https://github.com/diffplug/spotless/issues/358"
},
{
"name": "https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter",
"refsource": "MISC",
"url": "https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter"
},
{
"name": "https://github.com/diffplug/spotless/pull/369",
"refsource": "MISC",
"url": "https://github.com/diffplug/spotless/pull/369"
},
{
"name": "[iceberg-issues] 20210701 [GitHub] [iceberg] jackye1995 opened a new pull request #2776: Build: bump up DiffPlug Spotless version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd@%3Cissues.iceberg.apache.org%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.20.0)",
"affected_versions": "All versions before 1.20.0",
"cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-611",
"CWE-937"
],
"date": "2019-07-05",
"description": "In DiffPlug Spotless (library and Maven plugin), the XML parser would resolve external entities over both HTTP and HTTPS and ignores the `resolveExternalEntities` setting. This allows disclosure of file contents to a MITM attacker if a victim performs a `spotlessApply` operation on an untrusted XML file.",
"fixed_versions": [
"1.20.0"
],
"identifier": "CVE-2019-9843",
"identifiers": [
"CVE-2019-9843"
],
"not_impacted": "All versions starting from 1.20.0",
"package_slug": "maven/com.diffplug.spotless/spotless-maven-plugin",
"pubdate": "2019-06-28",
"solution": "Upgrade to version 1.20.0 or above.",
"title": "Improper Restriction of XML External Entity Reference",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-9843",
"https://github.com/diffplug/spotless/issues/358",
"https://github.com/diffplug/spotless/pull/369"
],
"uuid": "cde2b8d2-299a-487b-81b9-29b72413b520"
},
{
"affected_range": "(,3.20.0)",
"affected_versions": "All versions before 3.20.0",
"cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-611",
"CWE-937"
],
"date": "2019-07-05",
"description": "In DiffPlug Spotless, the XML parser would resolve external entities over both HTTP and HTTPS and ignores the `resolveExternalEntities` setting. This could allow disclosure of file contents to a MITM attacker, if a victim performs a `spotlessApply` operation on an untrusted XML file.",
"fixed_versions": [
"3.20.0"
],
"identifier": "CVE-2019-9843",
"identifiers": [
"CVE-2019-9843"
],
"not_impacted": "All versions starting from 3.20.0",
"package_slug": "maven/com.diffplug.spotless/spotless-plugin-gradle",
"pubdate": "2019-06-28",
"solution": "Upgrade to version 3.20.0 or above.",
"title": "Improper Restriction of XML External Entity Reference",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-9843",
"https://github.com/diffplug/spotless/issues/358",
"https://github.com/diffplug/spotless/pull/369"
],
"uuid": "465aaeea-0321-4a00-9508-473c619633f2"
},
{
"affected_range": "(,1.20.0)",
"affected_versions": "All versions before 1.20.0",
"cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-611",
"CWE-937"
],
"date": "2021-07-06",
"description": "In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\u0027t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.",
"fixed_versions": [
"1.20.0"
],
"identifier": "CVE-2019-9843",
"identifiers": [
"GHSA-7v35-qwwj-p98g",
"CVE-2019-9843"
],
"not_impacted": "All versions starting from 1.20.0",
"package_slug": "maven/com.diffplug.spotless/spotless-plugin-maven",
"pubdate": "2019-07-05",
"solution": "Upgrade to version 1.20.0 or above.",
"title": "Improper Restriction of XML External Entity Reference",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-9843",
"https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter",
"https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter",
"https://github.com/diffplug/spotless/issues/358",
"https://github.com/diffplug/spotless/pull/369",
"https://github.com/advisories/GHSA-7v35-qwwj-p98g"
],
"uuid": "f1c15a8d-3e08-461f-92ed-c5ef784203d8"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:diffplug:gradle:*:*:*:*:*:spotless:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:diffplug:maven:*:*:*:*:*:spotless:*:*",
"cpe_name": [],
"versionEndExcluding": "1.20.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9843"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\u0027t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter"
},
{
"name": "https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter"
},
{
"name": "https://github.com/diffplug/spotless/pull/369",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/diffplug/spotless/pull/369"
},
{
"name": "https://github.com/diffplug/spotless/issues/358",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/diffplug/spotless/issues/358"
},
{
"name": "[iceberg-issues] 20210701 [GitHub] [iceberg] jackye1995 opened a new pull request #2776: Build: bump up DiffPlug Spotless version",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd@%3Cissues.iceberg.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-07-02T04:15Z",
"publishedDate": "2019-06-28T18:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…