ch.acanda.maven:code-analysis-maven-plugin (>=1.6.0 <=1.6.1), net.sourceforge.pmd:pmd-cli (>=7.0.0 <=7.1.0) +1 more potentially affected by CVE-2025-23215 via net.sourceforge.pmd:pmd-designer (=7.0.0)

net.sourceforge.pmd:pmd-designer MAVEN version =7.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on net.sourceforge.pmd:pmd-designer and may be impacted: - ch.acanda.maven:code-analysis-maven-plugin =1.6.0, =7.0.0, =7.0.0, =7.1.0 Source cves:...

GHSA-88M4-H43F-WX84 PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

Summary While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central. Details See...

PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

Summary While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central. Details See...

ch.acanda.maven:code-analysis-maven-plugin (>=1.6.0 <=1.6.1), net.sourceforge.pmd:pmd-cli (>=7.0.0 <=7.1.0) +1 more potentially affected by CVE-2025-23215 via net.sourceforge.pmd:pmd-designer (=7.0.0)

net.sourceforge.pmd:pmd-designer MAVEN version =7.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on net.sourceforge.pmd:pmd-designer and may be impacted: - ch.acanda.maven:code-analysis-maven-plugin =1.6.0, =7.0.0, =7.0.0, =7.1.0 Source cves:...

Cleartext Storage of Sensitive Information

Overview net.sourceforge.pmd:pmd-designer is a graphical tool that helps PMD users develop their custom rules Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the form of the passphrase for gpg.keyname=0xD0BF1D737C9A1C22 appearing in the Maven jar ...

CVE-2025-23215 PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered...

CVE-2025-23215 PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered...