Cleartext Storage of Sensitive Information Affecting net.sourceforge.pmd:pmd-ui package, versions [6.14.0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cleartext Storage of Sensitive Information vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-NETSOURCEFORGEPMD-8685052
- published2 Feb 2025
- disclosed31 Jan 2025
- creditUnknown
Introduced: 31 Jan 2025
NewCVE-2025-23215 (opens in a new tab)How to fix?
There is no fixed version for net.sourceforge.pmd:pmd-ui.
Overview
Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the form of the passphrase for gpg.keyname=0xD0BF1D737C9A1C22 appearing in the Maven jar in error. An attacker could compromise the following two keys by exploiting the exposed passphrase. Both keys have been revoked in addition to the removal of of the key signing credentials from future jars.
94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B
EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22
The Eclipse plugin net.sourceforge.pmd.eclipse.plugin was also signed with the latter key.
Note: The project maintainers emphasize that "the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid. No other past usages of the private key is known to the project and no future use is possible due to the revocation."