CVE-2020-12642
XXE vulnerability in Launch import
Description
| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk | |--------------|-------------------|-------------------|---------------|---------------| | Monday, May 4, 2020| [service-api](https://github.com/reportportal/service-api) | Every version, starting from 3.1.0 | Remote | Medium | ### Impact Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser. We advise our users install the latest releases we built specifically to address this issue. ### Patches Fixed with https://github.com/reportportal/service-api/pull/1201 ### Binary Download https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12 ### Docker Container Download * RP v4: `docker pull reportportal/service-api:4.3.12` * RP v5: `docker pull reportportal/service-api:5.1.1` ### Acknowledgement The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue. ### For more information If you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)
How to fix CVE-2020-12642
To remediate CVE-2020-12642, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.12 or later
Is CVE-2020-12642 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.1.0, < 4.3.12