Description

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/12/17/1

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

Related Vulnerabilities

CVE-2020-1748 Vulnerability in maven package org.wildfly.security:wildfly-elytron

CVE-2019-14837 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2019-13173 Vulnerability in npm package fstream

CVE-2021-34371 Vulnerability in maven package org.neo4j:neo4j

CVE-2023-37895 Vulnerability in maven package org.apache.jackrabbit:jackrabbit-webapp

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory