'[oss-security] CVE-2021-44145: Apache NiFi information disclosure by XXE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-44145: Apache NiFi information disclosure by XXE
From:       Nathan Gough <thenatog () apache ! org>
Date:       2021-12-17 0:01:33
Message-ID: CAEhjM2Am_ixc+KirjdR_i+=6pw+bjixDBN34dBXhEDpRjO9ArQ () mail ! gmail ! com
[Download RAW message or body]

Severity: Low

Description:

In the TransformXML processor an authenticated user could configure an
XSLT file which, if it included malicious external entity calls, may
reveal sensitive information.

This issue is being tracked as NIFI-9399

Credit:

This issue was discovered by DangKhai at Viettel Cyber Security.

References:
https://nifi.apache.org/security.html#1.15.1-vulnerabilities

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic