GHSA-q4xf-3pmq-3hw8

Source

https://github.com/advisories/GHSA-q4xf-3pmq-3hw8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-q4xf-3pmq-3hw8/GHSA-q4xf-3pmq-3hw8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4xf-3pmq-3hw8

Aliases

Published

2022-01-06T20:41:00Z

Modified

2025-09-15T07:41:52.738881Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in Apache NiFi

Details

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Database specific

{
    "github_reviewed_at": "2021-03-29T16:20:14Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ],
    "nvd_published_at": "2020-10-01T20:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.nifi:nifi

Package

Name: org.apache.nifi:nifi; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.12.0-RC1

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.9.2

1.10.0

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

Database specific

last_known_affected_version_range

"<= 1.11.4"