CVE-2021-29620 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2021-29620?

CVE-2021-29620 has a CVSS score of 7.5 (HIGH). This CVE describes an XML External Entity (XXE) vulnerability in Report Portal's service-api module. It allows attackers to upload specially crafted XML files that can extract sensitive data from the server or perform server-side request forgery. All users running Report Portal service-api versions 3.1.0 through 5.3.x are affected.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in Report Portal's service-api module. It allows attackers to upload specially crafted XML files that can extract sensitive data from the server or perform server-side request forgery. All users running Report Portal service-api versions 3.1.0 through 5.3.x are affected.

💻 Affected Systems

Products:

Report Portal service-api

Versions: 3.1.0 through 5.3.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when XML file import functionality is enabled and used.

📦 What is this software?

Service Api by Reportportal

View all CVEs affecting Service Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Report Portal server including extraction of database credentials, API keys, and other secrets, potentially leading to full system takeover.

🟠

Likely Case

Extraction of sensitive configuration data and credentials stored on the Report Portal server, enabling further attacks.

🟢

If Mitigated

No impact if XML parsing is disabled or properly configured to prevent external entity resolution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload XML files to the Report Portal service. Standard XXE techniques apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.0

Vendor Advisory: https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59

Restart Required: Yes

Instructions:

1. Upgrade Report Portal service-api to version 5.4.0 or later. 2. Restart the Report Portal service. 3. Verify XML parsing is now properly configured to prevent XXE attacks.

🔧 Temporary Workarounds

Disable XML file imports

all

Temporarily disable XML file import functionality in Report Portal configuration

Edit application configuration to remove or disable XML import endpoints

Configure XML parser security

all

Manually configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

🧯 If You Can't Patch

Implement strict input validation to reject XML files containing DOCTYPE declarations or external entity references
Deploy network-level controls to block outbound connections from Report Portal servers to prevent data exfiltration

🔍 How to Verify

Check if Vulnerable:

Check if running Report Portal service-api version between 3.1.0 and 5.3.x and XML import functionality is enabled

Check Version:

Check pom.xml or build.gradle for com.epam.reportportal:service-api dependency version

Verify Fix Applied:

Verify version is 5.4.0 or later and test XML import with malicious payloads to confirm they are rejected

📡 Detection & Monitoring

Log Indicators:

XML parsing errors with external entity references
Unusual file upload patterns to XML endpoints
Outbound connections from Report Portal to unexpected external systems

Network Indicators:

HTTP requests to external DTD files from Report Portal server
Data exfiltration patterns from Report Portal to attacker-controlled systems

SIEM Query:

source="report-portal" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")

📊 Metadata

CVE ID: CVE-2021-29620

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: June 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59 Patch,Third Party Advisory
https://github.com/reportportal/service-api/pull/1392 Patch,Third Party Advisory
https://mvnrepository.com/artifact/com.epam.reportportal/service-api Release Notes,Third Party Advisory
https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59 Patch,Third Party Advisory
https://github.com/reportportal/service-api/pull/1392 Patch,Third Party Advisory
https://mvnrepository.com/artifact/com.epam.reportportal/service-api Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29620, you might also want to check these: