Description

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/12/17/1

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

Related Vulnerabilities

CVE-2021-23358 Vulnerability in maven package org.webjars.npm:underscore

CVE-2022-31069 Vulnerability in npm package @ffdc/nestjs-proxy

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-45693 Vulnerability in maven package org.codehaus.jettison:jettison

CVE-2022-24721 Vulnerability in maven package org.cometd.java:cometd-java-oort

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory