GitHub Advisory DatabaseGHSA-68PR-6FJC-WMGMImproper Neutralization of Input in Advanced User Interface for Jolt
7.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
41.7%
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.nifi:nifi-jolt-transform-json-ui | lt | 1.24.0 |
References
www.openwall.com/lists/oss-security/2023/11/27/5
github.com/advisories/GHSA-68pr-6fjc-wmgm
github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f
github.com/apache/nifi/pull/8060
issues.apache.org/jira/browse/NIFI-12403
lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
nifi.apache.org/security.html#CVE-2023-49145
nvd.nist.gov/vuln/detail/CVE-2023-49145
Related
7.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
41.7%