CVE-2020-12642

Name of the Vulnerable Software and Affected Versions service-api versions 3.1.0 through 4.3.11 service-api versions 5.0.0 through 5.1.0

Description An issue in service-api allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. This is due to the XML parser not being configured properly to prevent XML external entity (XXE) attacks, allowing a user to import a specifically-crafted XML file for extraction of secrets or server-side request forgery.

Recommendations For service-api versions 3.1.0 through 4.3.11, update to version 4.3.12 or later. For service-api versions 5.0.0 through 5.1.0, update to version 5.1.1 or later. As a temporary workaround, consider disabling the JUnit XML launch import feature until a patch is available. Restrict access to the XML parser to minimize the risk of exploitation.