CVE-2019-7722: Improper Restriction of XML External Entity Reference in PMD
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62777%
CWE
Published
5/14/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
net.sourceforge.pmd:pmd-core | maven | <= 5.8.1 | 6.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parser configuration in ruleset processing. The GitHub issue #1650 explicitly states PMD used default Java XML parser settings (which enable external entities) prior to the 2017 fix. Standard XXE mitigation involves disabling DTDs and external entities via features like XMLConstants.FEATURE_SECURE_PROCESSING. The RuleSetFactory and ResourceLoader classes are core components for ruleset parsing, making their XML parser initialization methods the most likely vulnerable points. The high confidence comes from the direct match between the described vulnerability pattern (CWE-611) and typical Java XXE vulnerabilities in XML parsing code paths.