7.5
CVE-2021-29620
- EPSS 2.2%
- Veröffentlicht 23.06.2021 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:01:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginXXE vulnerability on Launch import with externally-defined DTD file
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Reportportal ≫ Service-api Version >= 3.1.0 < 5.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.2% | 0.802 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59
https://github.com/reportportal/service-api/pull/1392
https://mvnrepository.com/artifact/com.epam.reportportal/service-api