CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
82.4%
Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.
This vulnerability probably doesn’t impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.
If you operate a site/service that parses “untrusted” Checkstyle XML configuration files, you are vulnerable to this and should patch.
Note from the discoverer of the original CVE-2019-9658:
> While looking at a few companies that run Checkstyle/PMD/ect… as a service I notice that it’s a common pattern to run the static code analysis tool inside of a Docker container with the following flags:
> > --net=none \ > --privileged=false \ > --cap-drop=ALL >
> Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF.
> - Jonathan Leitschuh
Has the problem been patched? What versions should users upgrade to?
Patched, will be released with version 8.29 at 26 Jan 2020.
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround are available
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
com.puppycrawl.tools | checkstyle | * | cpe:2.3:a:com.puppycrawl.tools:checkstyle:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-763g-fqq7-48wg
github.com/checkstyle/checkstyle/commit/c46a16d177e6797895b195c288ae9a9a096254b8
github.com/checkstyle/checkstyle/issues/7468
github.com/checkstyle/checkstyle/security/advisories/GHSA-763g-fqq7-48wg
lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E
lists.debian.org/debian-lts-announce/2020/02/msg00008.html
nvd.nist.gov/vuln/detail/CVE-2019-10782
snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
82.4%