CVE-2019-10080

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-10080
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10080.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-10080
Aliases
Published
2019-11-19T22:15:11Z
Modified
2024-10-12T04:11:41.767761Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type
GIT
Repo
https://github.com/apache/nifi
Events

Affected versions

nifi-1.*

nifi-1.3.0-RC1
nifi-1.5.0-RC1
nifi-1.6.0-RC3
nifi-1.7.0-RC1
nifi-1.8.0-RC3
nifi-1.9.0-RC2
nifi-1.9.1-RC1
nifi-1.9.2-RC2

rel/nifi-1.*

rel/nifi-1.3.0
rel/nifi-1.4.0
rel/nifi-1.5.0
rel/nifi-1.6.0
rel/nifi-1.7.0
rel/nifi-1.8.0
rel/nifi-1.9.0
rel/nifi-1.9.1
rel/nifi-1.9.2