GHSA-7qfm-6m33-rgg9: 
Java vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability was discovered in Report Portal's service-api component, tracked as GHSA-7qfm-6m33-rgg9. The vulnerability affects versions before 4.3.12 and 5.x versions before 5.1.1. The issue was discovered in May 2020 and was publicly disclosed on August 13, 2021. The vulnerability received a High severity rating with a CVSS score of 7.5 (GitHub Advisory).

The vulnerability stems from improper configuration of the XML parser in the JUnit XML launch import feature, which was introduced in version 3.1.0. The parser was not configured to prevent XML external entity (XXE) attacks, allowing the processing of external Document Type Definition (DTD) files. This vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) with a CVSS v3.1 base score of 7.5 (High), characterized by network attack vector, low attack complexity, no privileges required, and no user interaction needed (NVD Database, Security Advisory).

The vulnerability enables attackers to extract secrets from the Report Portal service-api module and potentially perform Server-Side Request Forgery (SSRF) attacks through specifically-crafted XML files that use external entities (Security Advisory).

The vulnerability has been patched in versions 4.3.12 and 5.1.1 of the service-api component. Users are advised to upgrade to these versions or later, which disable external entity resolution for their XML parser. For version 4.x, users should update to docker pull reportportal/service-api:4.3.12, and for version 5.x, to docker pull reportportal/service-api:5.1.1 (Security Advisory).

The vulnerability was initially reported by an external security researcher, Julien M., who was acknowledged by the Report Portal Team for responsibly disclosing the issue (Security Advisory).