GHSA-2JX8-V4HV-GX3H

Vulnerability from github – Published: 2021-06-28 16:45 – Updated: 2021-10-05 17:29
VLAI?
Summary
XXE vulnerability in Launch import
Details
Release Date Affected Projects Affected Versions Access Vector Security Risk
Monday, May 4, 2020 service-api Every version, starting from 3.1.0 Remote Medium

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.

We advise our users install the latest releases we built specifically to address this issue.

Patches

Fixed with https://github.com/reportportal/service-api/pull/1201

Binary Download

https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12

Docker Container Download

  • RP v4: docker pull reportportal/service-api:4.3.12
  • RP v5: docker pull reportportal/service-api:5.1.1

Acknowledgement

The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue.

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.epam.reportportal:service-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "4.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.epam.reportportal:service-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-28T16:45:26Z",
    "nvd_published_at": "2020-05-04T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk |\n|--------------|-------------------|-------------------|---------------|---------------|\n| Monday, May 4, 2020| [service-api](https://github.com/reportportal/service-api) | Every version, starting from 3.1.0 | Remote | Medium |\n\n### Impact\nStarting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.\n\nReport Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.\n\nWe advise our users install the latest releases we built specifically to address this issue.\n\n### Patches\nFixed with https://github.com/reportportal/service-api/pull/1201\n\n### Binary Download\nhttps://bintray.com/epam/reportportal/service-api/5.1.1\nhttps://bintray.com/epam/reportportal/service-api/4.3.12\n\n### Docker Container Download\n* RP v4: `docker pull reportportal/service-api:4.3.12`\n* RP v5: `docker pull reportportal/service-api:5.1.1`\n\n### Acknowledgement\nThe issue was reported to Report Portal Team by an external security researcher.\nOur Team thanks Julien M. for reporting the issue.\n\n### For more information\nIf you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)",
  "id": "GHSA-2jx8-v4hv-gx3h",
  "modified": "2021-10-05T17:29:41Z",
  "published": "2021-06-28T16:45:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-2jx8-v4hv-gx3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/pull/1201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/commit/da4a012abdcc69f02f4255d81466f1f473b7f418"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reportportal/reportportal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Launch import"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.