BIT-nifi-2023-49145

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/nifi/BIT-nifi-2023-49145.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-nifi-2023-49145
Aliases
Published
2025-09-12T11:47:03.168Z
Modified
2025-09-15T07:41:56.561005Z
Summary
Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
Details

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / nifi

Package

Name
nifi
Purl
pkg:bitnami/nifi

Severity

  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0.7.0
Fixed
1.24.0