Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJqeDgtdjRodi1neDNo
XXE vulnerability in Launch import
| Release Date | Affected Projects | Affected Versions | Access Vector | Security Risk |
|---|---|---|---|---|
| Monday, May 4, 2020 | service-api | Every version, starting from 3.1.0 | Remote | Medium |
Impact
Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.
Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.
We advise our users install the latest releases we built specifically to address this issue.
Patches
Fixed with https://github.com/reportportal/service-api/pull/1201
Binary Download
https://bintray.com/epam/reportportal/service-api/5.1.1
https://bintray.com/epam/reportportal/service-api/4.3.12
Docker Container Download
- RP v4:
docker pull reportportal/service-api:4.3.12 - RP v5:
docker pull reportportal/service-api:5.1.1
Acknowledgement
The issue was reported to Report Portal Team by an external security researcher.
Our Team thanks Julien M. for reporting the issue.
For more information
If you have any questions or comments about this advisory email us: [email protected]
Permalink: https://github.com/advisories/GHSA-2jx8-v4hv-gx3hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJqeDgtdjRodi1neDNo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00131
EPSS Percentile: 0.48548
Identifiers: GHSA-2jx8-v4hv-gx3h, CVE-2020-12642
References:
- https://github.com/reportportal/reportportal/security/advisories/GHSA-2jx8-v4hv-gx3h
- https://nvd.nist.gov/vuln/detail/CVE-2020-12642
- https://github.com/reportportal/service-api/pull/1201
- https://github.com/reportportal/service-api/commit/da4a012abdcc69f02f4255d81466f1f473b7f418
- https://github.com/advisories/GHSA-2jx8-v4hv-gx3h
Blast Radius: 2.3
Affected Packages
maven:com.epam.reportportal:service-api
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 5.0.0, < 5.1.1, >= 3.1.0, < 4.3.12
Fixed in: 5.1.1, 4.3.12
All affected versions: 3.1.1, 3.2.0, 3.2.1, 3.3.2, 4.0.0, 4.1.1, 4.2.1, 4.3.10, 4.3.11, 5.0.0, 5.1.0
All unaffected versions: 2.6.0, 2.7.2, 3.0.1, 4.3.12, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.8.0, 5.11.0, 5.11.2, 5.12.0, 5.13.0, 5.13.2