Vulnerabilities (CVE)

Filtered by vendor Reportportal Subscribe
Filtered by product Service-api
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-25822 1 Reportportal 2 Reportportal, Service-api 2024-02-28 N/A 6.5 MEDIUM
ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly.
CVE-2021-29620 1 Reportportal 1 Service-api 2024-02-28 5.0 MEDIUM 7.5 HIGH
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.
CVE-2020-12642 1 Reportportal 1 Service-api 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.