High severityNVD Advisory· Published Jun 23, 2021· Updated Aug 3, 2024
XXE vulnerability on Launch import with externally-defined DTD file
CVE-2021-29620
Description
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.epam.reportportal:service-apiMaven | >= 3.1.0, < 5.4.0 | 5.4.0 |
Affected products
2- Range: >= 3.1.0, < 5.4.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-24wf-7vf2-pv59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29620ghsaADVISORY
- github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59ghsax_refsource_CONFIRMWEB
- github.com/reportportal/service-api/commit/a73e0dfb4eda844c37139df1f9847013d55f084eghsaWEB
- github.com/reportportal/service-api/pull/1392ghsax_refsource_MISCWEB
- mvnrepository.com/artifact/com.epam.reportportal/service-apighsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.