GHSA-qj7f-j6h9-g5rq

Source

https://github.com/advisories/GHSA-qj7f-j6h9-g5rq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qj7f-j6h9-g5rq/GHSA-qj7f-j6h9-g5rq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qj7f-j6h9-g5rq

Aliases

CVE-2017-12623

Published

2022-05-17T00:26:27Z

Modified

2023-11-08T03:58:53.487680Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

XML External Entity Reference in Apache NiFi

Details

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Database specific

{
    "nvd_published_at": "2017-10-10T18:29:00Z",
    "github_reviewed_at": "2022-11-01T22:33:57Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Maven / org.apache.nifi:nifi

Package

Name: org.apache.nifi:nifi; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.4.0

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0