CVE-2021-29620 XXE vulnerability on Launch import with externally-defined DTD file

2021-06-2317:35:11

CWE-611

GitHub_M

www.cve.org

vulnerability

launch import

xxe

dtd

xml parsing

report portal

service-api

extraction

secrets

security

ssrf

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.9%

JSON

Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.

CNA Affected

[
  {
    "product": "reportportal",
    "vendor": "reportportal",
    "versions": [
      {
        "status": "affected",
        "version": ">= 3.1.0, < 5.4.0"
      }
    ]
  }
]