XML External Entity Reference · GHSA-7qfm-6m33-rgg9 · GitHub Advisory Database · GitHub

XML External Entity Reference

High severity GitHub Reviewed Published Aug 13, 2021 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

com.epam.reportportal:service-api (Maven)

Affected versions

< 4.3.12

>= 5.0.0, < 5.1.1

Patched versions

4.3.12

5.1.1

Description

An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.

References

Reviewed Jun 28, 2021

Published to the GitHub Advisory Database Aug 13, 2021

Last updated Jan 9, 2023

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N