8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-7722

GHSA ID

GHSA-57qj-79gh-69w8

EPSS Score

0.62777%

CWE

CWE-611

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-7722

CVE-2019-7722: Improper Restriction of XML External Entity Reference in PMD

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-7722

GHSA ID

GHSA-57qj-79gh-69w8

EPSS Score

0.62777%

CWE

CWE-611

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.sourceforge.pmd:pmd-core	maven	<= 5.8.1	6.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in ruleset processing. The GitHub issue #1650 explicitly states PMD used default Java XML parser settings (which enable external entities) prior to the 2017 fix. Standard XXE mitigation involves disabling DTDs and external entities via features like XMLConstants.FEATURE_SECURE_PROCESSING. The RuleSetFactory and ResourceLoader classes are core components for ruleset parsing, making their XML parser initialization methods the most likely vulnerable points. The high confidence comes from the direct match between the described vulnerability pattern (CWE-611) and typical Java XXE vulnerabilities in XML parsing code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

PM* *.*.* *n* **rli*r pro**ss*s XML *xt*rn*l *ntiti*s in rul*s*t *il*s it p*rs*s *s p*rt o* t** *n*lysis pro**ss, *llowin* *tt**k*rs t*mp*rin* it (*it**r *y *ir**t mo*i*i**tion or MITM *tt**ks w**n usin* r*mot* rul*s*ts) to p*r*orm in*orm*tion *is*lo

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in rul*s*t pro**ssin*. T** *it*u* issu* #**** *xpli*itly st*t*s PM* us** ****ult J*v* XML p*rs*r s*ttin*s (w*i** *n**l* *xt*rn*l *ntiti*s) prior to t** **** *ix. St*n**r* XX* miti**tion i

8.1

Basic Information

Concerned about an active attack path?

CVE-2019-7722: Improper Restriction of XML External Entity Reference in PMD

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI