CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
53.9%
Release Date | Affected Projects | Affected Versions | Access Vector | Security Risk |
---|---|---|---|---|
Monday, May 4, 2020 | service-api | Every version, starting from 3.1.0 | Remote | Medium |
Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.
Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.
We advise our users install the latest releases we built specifically to address this issue.
Fixed with https://github.com/reportportal/service-api/pull/1201
https://bintray.com/epam/reportportal/service-api/5.1.1
https://bintray.com/epam/reportportal/service-api/4.3.12
docker pull reportportal/service-api:4.3.12
docker pull reportportal/service-api:5.1.1
The issue was reported to Report Portal Team by an external security researcher.
Our Team thanks Julien M. for reporting the issue.
If you have any questions or comments about this advisory email us: [email protected]
Vendor | Product | Version | CPE |
---|---|---|---|
com.epam.reportportal | service-api | * | cpe:2.3:a:com.epam.reportportal:service-api:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
53.9%