Description

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/12/17/1

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

Related Vulnerabilities

CVE-2022-39135 Vulnerability in maven package org.apache.calcite:calcite-core

CVE-2023-49735 Vulnerability in maven package org.apache.tiles:tiles-core

CVE-2021-29506 Vulnerability in maven package com.graphhopper:graphhopper-nav

CVE-2011-4367 Vulnerability in maven package org.apache.myfaces.core:myfaces-core-project

CVE-2020-14340 Vulnerability in maven package org.jboss.xnio:xnio-nio

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory