XXE vulnerability on Launch import with externally-defined DTD file
Description
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.epam.reportportal:service-apiMaven | >= 3.1.0, < 5.4.0 | 5.4.0 |
Affected products
1- Range: >= 3.1.0, < 5.4.0
Patches
1a73e0dfb4edaMerge pull request #1392 from reportportal/sax-parser-fix
2 files changed · +9 −4
src/main/java/com/epam/ta/reportportal/core/imprt/impl/junit/XunitParseJob.java+8 −3 modified@@ -52,13 +52,18 @@ public ParseResults call() { // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities + // Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Using the SAXParserFactory's setFeature spf.setFeature("http://xml.org/sax/features/external-general-entities", false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + spf.setXIncludeAware(false); // Using the XMLReader's setFeature + reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - - // Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); saxParser.parse(xmlInputStream, handler); } catch (SAXException | IOException | ParserConfigurationException e) {
.travis.yml+1 −1 modified@@ -4,7 +4,7 @@ sudo: true before_install: - sudo apt-get install -y fonts-noto -script: ./gradlew buildDocker --full-stacktrace --no-build-cache +script: ./gradlew build --full-stacktrace --no-build-cache env: global:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-24wf-7vf2-pv59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29620ghsaADVISORY
- github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59ghsax_refsource_CONFIRMWEB
- github.com/reportportal/service-api/commit/a73e0dfb4eda844c37139df1f9847013d55f084eghsaWEB
- github.com/reportportal/service-api/pull/1392ghsax_refsource_MISCWEB
- mvnrepository.com/artifact/com.epam.reportportal/service-apighsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.