CVE-2017-12623

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-12623
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12623.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-12623
Aliases
Published
2017-10-10T18:29:00Z
Modified
2024-09-03T01:43:20.618459Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type
GIT
Repo
https://github.com/apache/nifi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1890f6c522514027ae46f86601f4771f62cadc6d
Last affected
3a605af8e0ac024fb0ba67262d49dab2727b2576
Last affected
5536f690a81418955442d52687695f65f0a44cd0
Last affected
74d5224783dfdc513f6b3ad5ed96671d3c581707
Last affected
a92f2e36ed6be695e4dc6f624f6b3a96e6d1a57c
Last affected
ddb73612bd1512d8b2151b81f9aa40811bca2aaa
Last affected
e31088642b6fdc7cafb52208a6ba29216dde7898

Affected versions

docker/nifi-1.*

docker/nifi-1.2.0

nifi-0.*

nifi-0.0.1-incubating-RC3
nifi-0.0.2-incubating-RC1
nifi-0.1.0-incubating-rc13
nifi-0.2.0-incubating-RC1
nifi-0.2.1-RC1
nifi-0.3.0-RC1
nifi-0.4.0
nifi-0.4.0-RC2
nifi-0.4.1
nifi-0.4.1-RC1
nifi-0.5.0
nifi-0.5.0-RC3
nifi-0.6.0
nifi-0.6.0-RC2

nifi-1.*

nifi-1.0.0-RC1
nifi-1.0.1-RC1
nifi-1.1.0-RC2
nifi-1.2.0-RC2

nifi-nar-maven-plugin-1.*

nifi-nar-maven-plugin-1.0.0-incubating-RC3
nifi-nar-maven-plugin-1.0.1-incubating-rc13

nifi-parent-1.*

nifi-parent-1.0.0-incubating-rc13

rel/nifi-1.*

rel/nifi-1.0.0
rel/nifi-1.0.1
rel/nifi-1.1.0
rel/nifi-1.2.0