GHSA-hxjp-q6c3-38fx

Source

https://github.com/advisories/GHSA-hxjp-q6c3-38fx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hxjp-q6c3-38fx/GHSA-hxjp-q6c3-38fx.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hxjp-q6c3-38fx

Aliases

CVE-2023-22832

Published

2023-02-10T09:30:23Z

Modified

2024-10-14T18:22:58.170550Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

XML External Entity Reference in Apache NiFi

Details

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Database specific

{
    "nvd_published_at": "2023-02-10T08:15:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-10T22:41:43Z"
}

References

Affected packages

Maven / org.apache.nifi:nifi-ccda-processors

Package

Name: org.apache.nifi:nifi-ccda-processors; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi-ccda-processors

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0

Fixed

1.20.0

Affected versions

1.*

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.9.2

1.10.0

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.12.0

1.12.1

1.13.0

1.13.1

1.13.2

1.14.0

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.16.3

1.17.0

1.18.0

1.19.0

1.19.1