New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[core] Advisory - XXE attack on ruleset parsing #1650

jsotuyod opened this Issue Feb 11, 2019 · 0 comments


None yet
1 participant
Copy link

jsotuyod commented Feb 11, 2019

This issue is for future reference.

As part of an unrelated security concern discussion regarding a possible remote code execution (which was discarded as impossible) on a separate issue, I found that our XML parsing wasn't hardened, allowing for XXE attacks.

When PMD is run, the ruleset XMLs were parsed with the default Java parser settings, which allowed an attacker to perform an XXE attack.

Rulesets can be either local files, or accessed through the network over http / https. So, depending on the context, this attack could require physical access to the machine, or be achieved through a man-in-the-middle attack.

The XXE attack can be used to perform information disclosure on the developer's machine, CI servers or other infrastructure running PMD; as well as denial of service attacks and request forgery.

All PMD versions up to PMD 6.0.0 are vulnerable.

A fix was produced in #592 following OWASP XXE Prevention cheatsheet, making all PMD 6 releases and later safe.

@jsotuyod jsotuyod added the a:bug label Feb 11, 2019

@jsotuyod jsotuyod added this to the 6.0.0 milestone Feb 11, 2019

@jsotuyod jsotuyod closed this Feb 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment