GHSA-744r-vv2g-2x6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-744r-vv2g-2x6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-744r-vv2g-2x6g/GHSA-744r-vv2g-2x6g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-744r-vv2g-2x6g
Aliases
Published
2019-12-02T18:17:36Z
Modified
2023-11-01T04:49:52.685090Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache NiFi information disclosure by XXE
Details

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Database specific
{
    "nvd_published_at": "2019-11-19T22:15:00Z",
    "github_reviewed_at": "2019-12-02T17:27:21Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Maven / org.apache.nifi:nifi-security

Package

Name
org.apache.nifi:nifi-security
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-security

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.10.0

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2

Maven / org.apache.nifi:nifi

Package

Name
org.apache.nifi:nifi
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.10.0

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2