GHSA-42wx-65g4-5cxv

Source

https://github.com/advisories/GHSA-42wx-65g4-5cxv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-42wx-65g4-5cxv/GHSA-42wx-65g4-5cxv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-42wx-65g4-5cxv

Aliases

CVE-2018-1309

Published

2022-05-14T03:16:17Z

Modified

2024-02-16T08:02:16.045383Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in Apache NiFi

Details

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Database specific

{
    "nvd_published_at": "2018-05-23T14:29:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T19:23:50Z"
}

References

Affected packages

Maven / org.apache.nifi:nifi-standard-processors

Package

Name: org.apache.nifi:nifi-standard-processors; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi-standard-processors

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Fixed

1.6.0

Affected versions

0.*

0.1.0-incubating

0.2.0-incubating

0.2.1

0.3.0

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

1.*

1.0.0-BETA

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.5.0

Database specific

{
    "last_known_affected_version_range": "<= 1.5.0"
}