GHSA-2jx8-v4hv-gx3h

Suggest an improvement
Source
https://github.com/advisories/GHSA-2jx8-v4hv-gx3h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-2jx8-v4hv-gx3h/GHSA-2jx8-v4hv-gx3h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2jx8-v4hv-gx3h
Aliases
Published
2021-06-28T16:45:47Z
Modified
2023-11-01T04:51:37.281275Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
XXE vulnerability in Launch import
Details

| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk | |--------------|-------------------|-------------------|---------------|---------------| | Monday, May 4, 2020| service-api | Every version, starting from 3.1.0 | Remote | Medium |

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.

We advise our users install the latest releases we built specifically to address this issue.

Patches

Fixed with https://github.com/reportportal/service-api/pull/1201

Binary Download

https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12

Docker Container Download

  • RP v4: docker pull reportportal/service-api:4.3.12
  • RP v5: docker pull reportportal/service-api:5.1.1

Acknowledgement

The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue.

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Database specific
{
    "nvd_published_at": "2020-05-04T16:15:00Z",
    "github_reviewed_at": "2021-06-28T16:45:26Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Maven / com.epam.reportportal:service-api

Package

Name
com.epam.reportportal:service-api
View open source insights on deps.dev
Purl
pkg:maven/com.epam.reportportal/service-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
4.3.12

Affected versions

3.*

3.1.1
3.2.0
3.2.1
3.3.2

4.*

4.0.0
4.1.1
4.2.1
4.3.10
4.3.11

Maven / com.epam.reportportal:service-api

Package

Name
com.epam.reportportal:service-api
View open source insights on deps.dev
Purl
pkg:maven/com.epam.reportportal/service-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.1.1

Affected versions

5.*

5.0.0
5.1.0