CVE-2019-9843 in DiffPlug Spotless
Summary
by MITRE
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/09/2023
The vulnerability identified as CVE-2019-9843 affects the DiffPlug Spotless tooling ecosystem, specifically targeting versions prior to 1.20.0 for the library and Maven plugin, and 3.20.0 for the Gradle plugin. This security flaw resides in the XML parsing implementation that fails to properly handle external entity resolution, creating a significant attack surface for malicious actors. The vulnerability stems from the XML parser's inability to respect the resolveExternalEntities configuration setting, which should control whether external entities are resolved during XML processing operations.
The technical flaw manifests when the Spotless tool processes untrusted XML files through its spotlessApply operation. The parser automatically resolves external entities over both HTTP and HTTPS protocols without proper validation or restriction, allowing attackers to craft malicious XML documents that can exfiltrate sensitive file contents from the victim's system. This behavior directly violates the principle of least privilege and enables unauthorized data disclosure through man-in-the-middle attacks. The vulnerability creates a path for remote attackers to access local files that would normally be protected from external access, particularly when developers unknowingly process untrusted configuration files.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable more sophisticated attacks within development environments. When developers execute spotlessApply on compromised XML files, the parser's behavior can result in the exposure of sensitive configuration data, source code files, or system information to remote attackers. The vulnerability affects the entire software supply chain since developers often process XML configuration files from various sources, including third-party libraries, build scripts, or automated tooling that may contain malicious content. This creates a persistent risk in development environments where security controls may not be properly enforced during routine build and formatting operations.
Organizations should implement immediate mitigations by upgrading to the patched versions of DiffPlug Spotless, specifically versions 1.20.0 or later for the library and Maven plugin, and 3.20.0 or later for the Gradle plugin. Additionally, developers should adopt strict input validation practices and avoid processing untrusted XML files through the Spotless tooling. The vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and can be categorized under ATT&CK technique T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts). Security teams should monitor build environments for suspicious XML file processing and implement network-level controls to restrict outbound HTTP/HTTPS connections from development systems when processing untrusted content, as the vulnerability essentially transforms legitimate development tooling into a potential data exfiltration vector.