High severity7.5OSV Advisory· Published Jun 28, 2019· Updated Jun 17, 2026
CVE-2019-9843
CVE-2019-9843
Description
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.diffplug.spotless:spotless-plugin-gradleMaven | < 3.20.0 | 3.20.0 |
com.diffplug.spotless:spotless-maven-pluginMaven | < 1.20.0 | 1.20.0 |
Affected products
3- ghsa-coords2 versionspkg:maven/com.diffplug.spotless/spotless-maven-pluginpkg:maven/com.diffplug.spotless/spotless-plugin-gradle
< 1.20.0+ 1 more
- (no CPE)range: < 1.20.0
- (no CPE)range: < 3.20.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-7v35-qwwj-p98gghsaADVISORY
- github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.mdnvdRelease NotesThird Party AdvisoryWEB
- github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.mdnvdRelease NotesThird Party AdvisoryWEB
- github.com/diffplug/spotless/issues/358nvdIssue TrackingThird Party AdvisoryWEB
- github.com/diffplug/spotless/pull/369nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2019-9843ghsaADVISORY
- lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3Envd
News mentions
0No linked articles in our index yet.