7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12642

GHSA ID

GHSA-2jx8-v4hv-gx3h

EPSS Score

0.51025%

CWE

CWE-611

Published

6/28/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-12642

CVE-2020-12642: XXE vulnerability in Launch import

| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk | |--------------|-------------------|-------------------|---------------|---------------| | Monday, May 4, 2020| service-api | Every version, starting from 3.1.0 | Remote | Medium |

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.

We advise our users install the latest releases we built specifically to address this issue.

Patches

Fixed with https://github.com/reportportal/service-api/pull/1201

Binary Download

https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12

Docker Container Download

RP v4: docker pull reportportal/service-api:4.3.12
RP v5: docker pull reportportal/service-api:5.1.1

Acknowledgement

The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue.

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12642

GHSA ID

GHSA-2jx8-v4hv-gx3h

EPSS Score

0.51025%

CWE

CWE-611

Published

6/28/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.epam.reportportal:service-api	maven	>= 3.1.0, < 4.3.12	4.3.12
com.epam.reportportal:service-api	maven	>= 5.0.0, < 5.1.1	5.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in JUnit import handling. The fix in commit da4a012 shows security features were added to SAXParserFactory/XMLReader in XunitParseJob.java. The original vulnerable code executed 'SAXParserFactory.newInstance().newSAXParser().parse()' without disabling external entity resolution, which aligns with CWE-611 (XXE) description. The direct modification of XML parsing logic in this class confirms it as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

| R*l**s* **t* | *****t** Proj**ts | *****t** V*rsions | ****ss V**tor| S**urity Risk | |--------------|-------------------|-------------------|---------------|---------------| | Mon**y, M*y *, ****| [s*rvi**-*pi](*ttps://*it*u*.*om/r*portport*l/s*rv

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in JUnit import **n*lin*. T** *ix in *ommit ******* s*ows s**urity ***tur*s w*r* ***** to `S*XP*rs*r***tory`/`XMLR****r` in `XunitP*rs*Jo*.j*v*`. T** ori*in*l vuln*r**l* *o** *x**ut** `'S

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-12642: XXE vulnerability in Launch import

Impact

Patches

Binary Download

Docker Container Download

Acknowledgement

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI