NiFi Standard Processors is vulnerable to xml external entity injection. The vulnerability exists in multiple components because EvaluateXPath, EvaluateXQuery and ValidateXml processors do not restrict XXE references when configured with default values which allows an attacker to send malicious XML documents.
github.com/advisories/GHSA-wc97-7623-rxwx
github.com/apache/nifi/commit/5d94e7f7d594e600d8eb00329bb38b99d46ec66b
github.com/apache/nifi/pull/5962
github.com/apache/nifi/pull/5986
github.com/apache/nifi/pull/5994
issues.apache.org/jira/browse/NIFI-9901
issues.apache.org/jira/browse/NIFI-9943
lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl
nifi.apache.org/security.html#CVE-2022-29265