Skip to content

XXE vulnerability on Launch import with externally-defined DTD file

High
HardNorth published GHSA-24wf-7vf2-pv59 Jun 23, 2021

Package

maven service-api (Maven)

Affected versions

>= 3.1.0

Patched versions

5.4.0

Description

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Patches

Fixed with: reportportal/service-api#1392

Binaries

docker pull reportportal/service-api:5.4.0
https://github.com/reportportal/service-api/packages/846871?version=5.4.0

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2021-29620

Weaknesses