CVE-2021-29620

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-29620

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29620.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-29620

Aliases

GHSA-24wf-7vf2-pv59

Published

2021-06-23T18:15:09Z

Modified

2024-09-03T03:47:25.042099Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.

References

Affected packages

Git / github.com/reportportal/service-api

Affected ranges

Type: GIT
Repo: https://github.com/reportportal/service-api
Events: Introduced

f9a125e8757f8bd274f364a039cf3d866884d69c

Fixed

00db4e4ef85344e4b483cd384907285574058e50

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1

4.*

4.0.0

4.1.0

4.1.1

4.2.0

4.2.1

4.3.0

4.3.1

4.3.10

4.3.11

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

5.*

5.0.0

5.1.0

5.1.0-RC

5.1.0-RC-2

5.1.0-RC-3

5.1.1

5.2.0

5.2.0-RC

5.2.1

5.2.2

5.2.3

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

CVE-2021-29620

Affected packages

Git / github.com/reportportal/service-api

Affected ranges

Affected versions

3.*

4.*

5.*

Other