VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 13, 2021· Updated Aug 3, 2024

CVE-2021-28973

CVE-2021-28973

Description

The Administration console XML Import in Perforce Helix ALM 2020.3.1 Build 22 allows XXE attacks due to insecure XML parser configuration, leading to sensitive file disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Administration console XML Import in Perforce Helix ALM 2020.3.1 Build 22 allows XXE attacks due to insecure XML parser configuration, leading to sensitive file disclosure.

Vulnerability

The XML Import functionality in the Administration console of Perforce Helix ALM version 2020.3.1 Build 22 (and potentially earlier versions) accepts XML input that is parsed by an insecurely configured XML parser, resulting in XML External Entity (XXE) injection [1]. The vulnerability exists in the import feature accessible via the administration console's left menu under 'XML Import'. The parser does not disable DTDs or external entity resolution [1].

Exploitation

An attacker with network access to the Helix ALM administration console can craft a malicious XML payload containing an external entity reference (e.g., file:///C:/Windows/win.ini). The attacker logs in, navigates to the 'XML Import' page, browses to the malicious XML file, and clicks the 'Validate' button [1]. The server processes the XML, resolves the external entity, and reflects the file contents in an error message [1]. No authentication beyond valid admin console credentials is required if the attacker has those; the reference does not specify whether authentication is needed, but the administration console typically requires admin privileges.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's file system with the privileges of the Helix ALM service account [1]. This can lead to disclosure of sensitive configuration data, credentials, or other confidential information. The attack is remote and does not require user interaction beyond the attacker performing the import steps [1].

Mitigation

Perforce has addressed the issue in Helix ALM version 2021.1.0 [1]. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators should restrict access to the administration console and validate all XML input before processing. No workaround is provided in the reference. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. https://www.compass-security.com/fileadmin/Research/Advisories/2021-01_CSNC-2021-005_Helix_ALM_XXE.txt

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insecure XML parser configuration allows inline DTDs and external entity resolution, enabling XXE attacks."

Attack vector

An attacker crafts an XML file containing a malicious DOCTYPE declaration with an external entity that references a local file (e.g., `C:\Windows\win.ini`). The attacker logs into the Administration console, navigates to the 'XML Import' menu, uploads the file via the 'Browse' button, and clicks 'Validate'. The server parses the XML with an insecure parser that resolves the external entity, and the file content is disclosed in the resulting error message [ref_id=1].

Affected code

The XML Import functionality in the Administration console of Perforce Helix ALM 2020.3.1 Build 22 parses user-supplied XML input with an insecurely configured XML parser. The advisory identifies the XML Import feature as the vulnerable code path and states that the parser must be hardened to disable inline DTDs and external entities [ref_id=1].

What the fix does

The advisory recommends hardening the XML parser by disabling inline DTDs and external entities. Perforce released version 2021.1.0, which fixes the vulnerability. No patch diff is provided in the advisory, but the remediation guidance is to update to the fixed version or reconfigure the parser to reject external entity resolution [ref_id=1].

Preconditions

  • authAttacker must have access to the Administration console's XML Import functionality (requires valid login credentials).
  • inputAttacker must be able to upload a crafted XML file via the 'Browse' and 'Validate' buttons.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.