GHSA-24wf-7vf2-pv59

Source

https://github.com/advisories/GHSA-24wf-7vf2-pv59

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-24wf-7vf2-pv59/GHSA-24wf-7vf2-pv59.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-24wf-7vf2-pv59

Aliases

CVE-2021-29620

Published

2021-06-28T16:38:29Z

Modified

2023-11-08T04:05:42.878361Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

XXE vulnerability on Launch import with externally-defined DTD file

Details

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Patches

Fixed with: https://github.com/reportportal/service-api/pull/1392

Binaries

docker pull reportportal/service-api:5.4.0 https://github.com/reportportal/service-api/packages/846871?version=5.4.0

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Database specific

{
    "nvd_published_at": "2021-06-23T18:15:00Z",
    "github_reviewed_at": "2021-06-25T13:06:33Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Maven / com.epam.reportportal:service-api

Package

Name: com.epam.reportportal:service-api; View open source insights on deps.dev
Purl: pkg:maven/com.epam.reportportal/service-api

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

5.4.0

Affected versions

3.*

3.1.1

3.2.0

3.2.1

3.3.2

4.*

4.0.0

4.1.1

4.2.1

4.3.10

4.3.11

4.3.12

5.*

5.0.0

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5