CVE-2022-0219: 
Java vulnerability analysis and mitigation

Improper Restriction of XML External Entity Reference vulnerability (CVE-2022-0219) was discovered in GitHub repository skylot/jadx prior to version 1.3.2. The vulnerability was disclosed and tracked in January 2022, affecting the XML parsing functionality in the JADX decompiler tool (NVD, CVE).

The vulnerability is classified as an XML External Entity (XXE) Reference issue, identified as CWE-611. It received a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access and user interaction, but can potentially lead to high confidentiality impacts (NVD).

The vulnerability could allow an attacker to read arbitrary files on the system through XML External Entity (XXE) processing. This primarily affects the confidentiality of the system, with potential for information disclosure, while integrity and availability remain unaffected (NVD).

The vulnerability was fixed in JADX version 1.3.2 by implementing a secure XML parser for processing manifest files. The fix involves replacing the standard DocumentBuilderFactory with a secure XML parser implementation (GitHub Patch).