Homepage

net.sourceforge.pmd:pmd-core@6.23.0 vulnerabilities

  • latest version

    7.9.0

  • latest non vulnerable version

    6.20.0

  • first published

    10 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the net.sourceforge.pmd:pmd-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cleartext Storage of Sensitive Information

    net.sourceforge.pmd:pmd-core is an extensible multilanguage static code analyzer.

    Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the form of the passphrase for gpg.keyname=0xD0BF1D737C9A1C22 appearing in the Maven jar in error. An attacker could compromise the following two keys by exploiting the exposed passphrase. Both keys have been revoked in addition to the removal of of the key signing credentials from future jars.

    94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B

    EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22

    The Eclipse plugin net.sourceforge.pmd.eclipse.plugin was also signed with the latter key.

    Note: The project maintainers emphasize that "the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid. No other past usages of the private key is known to the project and no future use is possible due to the revocation."

    How to fix Cleartext Storage of Sensitive Information?

    Upgrade net.sourceforge.pmd:pmd-core to version 7.10.0 or higher.

    [6.21.0,7.10.0)
    Go back to all versions of this package