Homepage

net.sourceforge.pmd:pmd-ui@7.0.0-rc4 vulnerabilities

  • latest version

    6.49.0

  • latest non vulnerable version

    6.12.0

  • first published

    8 years ago

  • latest version published

    2 years ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the net.sourceforge.pmd:pmd-ui package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cleartext Storage of Sensitive Information

    Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the form of the passphrase for gpg.keyname=0xD0BF1D737C9A1C22 appearing in the Maven jar in error. An attacker could compromise the following two keys by exploiting the exposed passphrase. Both keys have been revoked in addition to the removal of of the key signing credentials from future jars.

    94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B

    EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22

    The Eclipse plugin net.sourceforge.pmd.eclipse.plugin was also signed with the latter key.

    Note: The project maintainers emphasize that "the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid. No other past usages of the private key is known to the project and no future use is possible due to the revocation."

    How to fix Cleartext Storage of Sensitive Information?

    There is no fixed version for net.sourceforge.pmd:pmd-ui.

    [6.14.0,)
    Go back to all versions of this package