1. Home
  2. CVE Database
  3. CVE-2019-9843
HIGH · 7.5

CVE-2019-9843

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveE...

Vulnerability Description

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
DiffplugGradle< 3.20.0
DiffplugMaven< 1.20.0

Related Weaknesses (CWE)

CWE-611

References

FAQ

What is CVE-2019-9843?

CVE-2019-9843 is a vulnerability with a CVSS score of 7.5 (HIGH). In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveE...

How severe is CVE-2019-9843?

CVE-2019-9843 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-9843?

Check the references section above for vendor advisories and patch information. Affected products include: Diffplug Gradle, Diffplug Maven.