CVE-2025-23215

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

CVSS

No CVSS.

References

Link	Resource
https://github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362
https://github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891
https://github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84

Configurations

No configuration.

History

04 Apr 2025, 21:15

Type	Values Removed	Values Added
Summary		(es) PMD es un analizador de código estático multilenguaje extensible. La frase de contraseña para las claves de firma de la versión de PMD y PMD Designer se incluye en el jar publicado en Maven Central. No se sabe si la clave privada en sí se ha visto comprometida, pero dado que su frase de contraseña sí lo está, también debe considerarse potencialmente comprometida. Como mitigación, se han revocado ambas claves comprometidas para que no sea posible su uso en el futuro. Tenga en cuenta que los artefactos publicados en Maven Central bajo el ID de grupo net.sourceforge.pmd no están comprometidos y las firmas son válidas.

31 Jan 2025, 17:15

Type	Values Removed	Values Added
CWE		CWE-312

31 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-31 16:15

Updated : 2025-04-04 21:15

NVD link : CVE-2025-23215

Mitre link : CVE-2025-23215

CVE.ORG link : CVE-2025-23215

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-312

Cleartext Storage of Sensitive Information

CWE-540

Inclusion of Sensitive Information in Source Code

{"id": "CVE-2025-23215", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-31T16:15:35.643", "references": [{"url": "https://github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362", "source": "security-advisories@github.com"}, {"url": "https://github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891", "source": "security-advisories@github.com"}, {"url": "https://github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-540"}]}], "descriptions": [{"lang": "en", "value": "PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid."}, {"lang": "es", "value": "PMD es un analizador de c\u00f3digo est\u00e1tico multilenguaje extensible. La frase de contrase\u00f1a para las claves de firma de la versi\u00f3n de PMD y PMD Designer se incluye en el jar publicado en Maven Central. No se sabe si la clave privada en s\u00ed se ha visto comprometida, pero dado que su frase de contrase\u00f1a s\u00ed lo est\u00e1, tambi\u00e9n debe considerarse potencialmente comprometida. Como mitigaci\u00f3n, se han revocado ambas claves comprometidas para que no sea posible su uso en el futuro. Tenga en cuenta que los artefactos publicados en Maven Central bajo el ID de grupo net.sourceforge.pmd no est\u00e1n comprometidos y las firmas son v\u00e1lidas."}], "lastModified": "2025-04-04T21:15:44.423", "sourceIdentifier": "security-advisories@github.com"}