Report Portal service-api XXE Vulnerabilities (CVE-2021-29620/CVE-2020-12642)

From this webpage screenshot, the following key vulnerability information can be obtained: XXE Vulnerability Information - 2021-06-28 - XXE Vulnerability - Release Date: June 28, 2021 - Affected Project: service-api - Affected Versions: All versions starting from 3.1.0 - CVE ID: CVE-2021-29620 - Access Vector: Remote - Security Risk: High - Summary: Starting from version 3.1.0, service-api introduced XML parsing functionality; however, the XML parser was misconfigured and did not prevent XML External Entity (XXE) attacks. Attackers can import specially crafted XML files and exploit external references to extract confidential information from the Report Portal service-api module or perform Server-Side Request Forgery (SSRF). - Remediation: Users are advised to install the latest patched version, such as . - Contact: support@reportportal.io - 2020-05-04 - XXE Vulnerability - Release Date: May 4, 2020 - Affected Project: service-api - Affected Versions: All versions starting from 3.1.0 - CVE ID: CVE-2020-12642 - Access Vector: Remote - Security Risk: High - Summary: Starting from version 3.1.0, Report Portal introduced a new feature for importing JUnit XML startup files, but the XML parser was misconfigured and did not prevent XXE attacks. Attackers can import specially crafted XML files and exploit external entities to extract confidential information from the Report Portal service-api module or perform Server-Side Request Forgery (SSRF). - Remediation: Users are advised to upgrade to the latest versions: for RP v4: , for RP v5: . - Acknowledgement: This issue was reported by external security researcher Julien M., and the team thanks him for reporting it. - Contact: support@reportportal.io

Goal Reached Thanks to every supporter — we hit 100%!

Report Portal service-api XXE Vulnerabilities (CVE-2021-29620/CVE-2020-12642)

More from this source