Lucene search

GitHub Advisory DatabaseGHSA-HXJP-Q6C3-38FX

HistoryFeb 10, 2023 - 9:30 a.m.

XML External Entity Reference in Apache NiFi

2023-02-1009:30:23

CWE-611

GitHub Advisory Database

github.com

apache nifi

extractccdaattributes processor

security vulnerability

xml parsing

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.4%

JSON

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Affected configurations

Vulners

Node

org.apache.nifi\Matchnifi

CPENameOperatorVersion
org.apache.nifi:nifilt1.20.0

CPE	Name	Operator	Version
	org.apache.nifi:nifi	lt	1.20.0

References

github.com/advisories/GHSA-hxjp-q6c3-38fx

github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8

lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w

nifi.apache.org/security.html#CVE-2023-22832

nvd.nist.gov/vuln/detail/CVE-2023-22832

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.4%

JSON

Related for GHSA-HXJP-Q6C3-38FX