Description

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Remediation

References

https://nifi.apache.org/security.html#CVE-2017-12623

Related Vulnerabilities

CVE-2015-0201 Vulnerability in maven package org.springframework:spring-websocket

CVE-2019-20174 Vulnerability in npm package auth0-lock

CVE-2022-45397 Vulnerability in maven package org.jenkins-ci.plugins:osf-builder-suite-xml-linter

CVE-2022-34797 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard

CVE-2018-1000105 Vulnerability in maven package org.jenkins-ci.plugins:gerrit-trigger

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory