CVE-2021-29620: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-29620 affects the Report Portal service-api module, specifically versions 3.1.0 and later, up until version 5.4.0. This vulnerability is related to improper configuration of the XML parser in the JUnit XML launch import feature, which was introduced in version 3.1.0. The vulnerability allows an attacker to perform XML External Entity (XXE) attacks through specifically-crafted XML files (GitHub Advisory).

The vulnerability is classified as CWE-611 (XML External Entity Reference) with a CVSS v3.1 base score of 7.5 (High severity). The attack vector is Network-based, with low attack complexity, requiring no privileges or user interaction. The vulnerability has an unchanged scope, with high impact on confidentiality but no impact on integrity or availability. The CVSS string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows attackers to extract secrets from the Report Portal service-api module or perform server-side request forgery by importing maliciously crafted XML files containing external Document Type Definition (DTD) files with external entities (GitHub Advisory).

The vulnerability has been patched in version 5.4.0 of the Report Portal service-api module. Users should upgrade to this version or later. The fix is available through Docker (docker pull reportportal/service-api:5.4.0) or through the GitHub packages repository (GitHub Advisory).