In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
[
{
"product": "Apache NiFi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.15.0",
"status": "affected",
"version": "Apache NiFi",
"versionType": "custom"
}
]
}
]