Miggo Logo

CVE-2019-7722: Improper Restriction of XML External Entity Reference in PMD

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.62777%
Published
5/14/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.sourceforge.pmd:pmd-coremaven<= 5.8.16.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parser configuration in ruleset processing. The GitHub issue #1650 explicitly states PMD used default Java XML parser settings (which enable external entities) prior to the 2017 fix. Standard XXE mitigation involves disabling DTDs and external entities via features like XMLConstants.FEATURE_SECURE_PROCESSING. The RuleSetFactory and ResourceLoader classes are core components for ruleset parsing, making their XML parser initialization methods the most likely vulnerable points. The high confidence comes from the direct match between the described vulnerability pattern (CWE-611) and typical Java XXE vulnerabilities in XML parsing code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

PM* *.*.* *n* **rli*r pro**ss*s XML *xt*rn*l *ntiti*s in rul*s*t *il*s it p*rs*s *s p*rt o* t** *n*lysis pro**ss, *llowin* *tt**k*rs t*mp*rin* it (*it**r *y *ir**t mo*i*i**tion or MITM *tt**ks w**n usin* r*mot* rul*s*ts) to p*r*orm in*orm*tion *is*lo

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in rul*s*t pro**ssin*. T** *it*u* issu* #**** *xpli*itly st*t*s PM* us** ****ult J*v* XML p*rs*r s*ttin*s (w*i** *n**l* *xt*rn*l *ntiti*s) prior to t** **** *ix. St*n**r* XX* miti**tion i