GHSA-68pr-6fjc-wmgm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-68pr-6fjc-wmgm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-68pr-6fjc-wmgm/GHSA-68pr-6fjc-wmgm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-68pr-6fjc-wmgm
- Aliases
- Published
- 2023-11-28T00:30:33Z
- Modified
- 2024-02-16T08:24:24.572878Z
- Severity
-
- 7.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- Improper Neutralization of Input in Advanced User Interface for Jolt
- Details
-
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
- Database specific
{ "nvd_published_at": "2023-11-27T23:15:07Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-11-28T20:59:40Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-49145
- https://github.com/apache/nifi/pull/8060
- https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f
- https://github.com/apache/nifi
- https://issues.apache.org/jira/browse/NIFI-12403
- https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
- https://nifi.apache.org/security.html#CVE-2023-49145
- http://www.openwall.com/lists/oss-security/2023/11/27/5
Affected packages
Maven / org.apache.nifi:nifi-jolt-transform-json-ui
Package
- Name
- org.apache.nifi:nifi-jolt-transform-json-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.nifi/nifi-jolt-transform-json-ui
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.24.0
Affected versions
0.*
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
1.*
1.0.0-BETA
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0
1.23.0
1.23.1
1.23.2