PMD and PMD Designer GPG Key Passphrase Exposure Vulnerability

A vulnerability exists in PMD and PMD Designer due to the release signing key passphrase being exposed in a JAR file published to Maven Central. While the private key has not been compromised, the availability of its passphrase raises concerns about potential compromise. This issue affects PMD versions 6.21.0 through 7.9.0 and PMD Designer version 7.0.0, with the latest PMD Eclipse Plugin release also impacted. As a mitigation, the compromised keys have been revoked, and future releases will use a new signing key.

Impact

The exposure of the GPG key passphrase for the PMD and PMD Designer release signing keys raises the potential for misuse, although the private keys themselves are not known to have been compromised.

Reproduction

The vulnerability can be reproduced by downloading the PMD or PMD Designer JAR file from Maven Central and inspecting it for the presence of the GPG passphrase in cleartext. This can be done using a tool like 'grep' to search for the passphrase within the JAR file.

Remediation

Users can update to PMD version 7.10.0 or PMD Designer version 7.10.0 to address this vulnerability. For the PMD Eclipse Plugin, no direct update is available, but users should be aware of the signing key change.