New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-9658: Gradle depends upon Checkstyle Version vulnerable to MITM based XXE #8792
Comments
From checkstyle/checkstyle#6474, it looks like only <8.11 are definitely affected by default? IIUC, if you have custom configuration, you might be affected with 8.11-8.17.
As of this writing, |
Looking back at my notes on this research and the comments, yes, you are correct. The reason I originally found this vulnerability requiring me to responsibility disclose it to the checkstyle team was that I found my build would fail due to checkstyle if I ran it in offline mode with the internet disconnected. I originally setup checkstyle sometime in the Gradle 4.x series. |
Fixed in 1be126f |
Hi, our team still uses Gradle 5.6.3 which seems that we cannot get this fix. Is it possible to also apply the fix to 5.6.3 ? |
@hstonec Simply upgrade the version of CheckStyle that your build relies upon.
|
Gradle's checksyle plugin currently ships with a default dependenciy upon Checkstyle version 8.17.
gradle/subprojects/code-quality/src/main/groovy/org/gradle/api/plugins/quality/CheckstylePlugin.java
Line 39 in ae6478d
Checkstyle versions below below 8.18 are vulnerable to XXE of the remotely loaded DTD file being MITMed.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658
https://nvd.nist.gov/vuln/detail/CVE-2019-9658
The text was updated successfully, but these errors were encountered: