CVE-2021-29620: Improper Restriction of XML External Entity Reference

June 23, 2021 (updated June 30, 2021)

Report portal is an open source reporting and analysis framework. Starting from of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

References

nvd.nist.gov/vuln/detail/CVE-2021-29620

Code Behaviors & Features

Detect and mitigate CVE-2021-29620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →