Description

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Remediation

References

https://nifi.apache.org/security.html#CVE-2017-12623

Related Vulnerabilities

CVE-2016-3088 Vulnerability in maven package org.apache.activemq:activemq-fileserver

CVE-2023-37959 Vulnerability in maven package org.jenkins-ci.plugins:sumologic-publisher

CVE-2015-5262 Vulnerability in maven package org.apache.httpcomponents:httpclient

CVE-2021-44549 Vulnerability in maven package org.apache.sling:org.apache.sling.commons.messaging.mail

CVE-2020-2196 Vulnerability in maven package org.jenkins-ci.plugins:selenium

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory