CVE-2019-10782

NameCVE-2019-10782
DescriptionAll versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2099-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
checkstyle (PTS)jessie5.9-1vulnerable
jessie (security)5.9-1+deb8u2fixed
stretch6.15-1fixed
buster8.15-1fixed
bullseye, sid8.29-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
checkstylesource(unstable)8.29-1
checkstylesourcebuster(not affected)
checkstylesourcejessie5.9-1+deb8u2DLA-2099-1
checkstylesourcestretch(not affected)

Notes

[buster] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
[stretch] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266
https://github.com/checkstyle/checkstyle/issues/7468
https://github.com/checkstyle/checkstyle/security/advisories/GHSA-763g-fqq7-48wg

Search for package or bug name: Reporting problems