CVE-2020-12642

Description

| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk | |--------------|-------------------|-------------------|---------------|---------------| | Monday, May 4, 2020| [service-api](https://github.com/reportportal/service-api) | Every version, starting from 3.1.0 | Remote | Medium | ### Impact Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser. We advise our users install the latest releases we built specifically to address this issue. ### Patches Fixed with https://github.com/reportportal/service-api/pull/1201 ### Binary Download https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12 ### Docker Container Download * RP v4: `docker pull reportportal/service-api:4.3.12` * RP v5: `docker pull reportportal/service-api:5.1.1` ### Acknowledgement The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue. ### For more information If you have any questions or comments about this advisory email us: [[email protected]](mailto:[email protected])

Affected packages (1)

• Maven/com.epam.reportportal:service-api>= 3.1.0, < 4.3.12

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-12642
• PATCHhttps://github.com/reportportal/reportportal
• WEBhttps://github.com/reportportal/reportportal/security/advisories/GHSA-2jx8-v4hv-gx3h
• WEBhttps://github.com/reportportal/service-api/commit/da4a012abdcc69f02f4255d81466f1f473b7f418
• WEBhttps://github.com/reportportal/service-api/pull/1201