BIT-nifi-2023-22832

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/nifi/BIT-nifi-2023-22832.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-nifi-2023-22832

Aliases

Published

2025-09-12T11:46:55.074Z

Modified

2025-09-15T07:43:55.150646Z

Summary

Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

Details

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.

The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / nifi

Package

Name: nifi
Purl: pkg:bitnami/nifi

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.2.0

Last affected

1.19.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/nifi/BIT-nifi-2023-22832.json"