CVE-2019-10080

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-10080

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10080.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10080

Aliases

GHSA-744r-vv2g-2x6g

Published

2019-11-19T22:15:11Z

Modified

2024-09-03T02:21:41.245280Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type: GIT
Repo: https://github.com/apache/nifi
Events: Introduced

ddb73612bd1512d8b2151b81f9aa40811bca2aaa

Last affected

11320acfbaab1a3579bd8f7545473d6984472d77

Affected versions

nifi-1.*

nifi-1.3.0-RC1

nifi-1.5.0-RC1

nifi-1.6.0-RC3

nifi-1.7.0-RC1

nifi-1.8.0-RC3

nifi-1.9.0-RC2

nifi-1.9.1-RC1

nifi-1.9.2-RC2

rel/nifi-1.*

rel/nifi-1.3.0

rel/nifi-1.4.0

rel/nifi-1.5.0

rel/nifi-1.6.0

rel/nifi-1.7.0

rel/nifi-1.8.0

rel/nifi-1.9.0

rel/nifi-1.9.1

rel/nifi-1.9.2