CVE-2021-29620

Name of the Vulnerable Software and Affected Versions Report Portal service-api versions 3.1.0 through 5.3.x

Description The issue concerns an XML external entity (XXE) attack vulnerability. It allows a user to import a specifically-crafted XML file, which can import external Document Type Definition (DTD) files with external entities. This can lead to the extraction of secrets from the Report Portal service-api module or enable server-side request forgery. The vulnerability was introduced starting from version 3.1.0 of the service-api when XML parsing was added.

Recommendations For versions 3.1.0 through 5.3.x, update to version 5.4.0 to resolve the issue. As a temporary workaround, consider disabling the XML parsing feature in the service-api module until the update to version 5.4.0 is applied. Restrict access to the service-api module to minimize the risk of exploitation.