Julien M

**Name of the Vulnerable Software and Affected Versions** service-api versions 3.1.0 through 4.3.11 service-api versions 5.0.0 through 5.1.0 **Description** An issue in service-api allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. This is due to the XML parser not being configured properly to prevent XML external entity (XXE) attacks, allowing a user to import a specifically-crafted XML file for extraction of secrets or server-side request forgery. **Recommendations** For service-api versions 3.1.0 through 4.3.11, update to version 4.3.12 or later. For service-api versions 5.0.0 through 5.1.0, update to version 5.1.1 or later. As a temporary workaround, consider disabling the JUnit XML launch import feature until a patch is available. Restrict access to the XML parser to minimize the risk of exploitation.