[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-29265: Apache NiFi: Improper Restriction of XML External Entity References i
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2022-04-29 20:28:54
Message-ID: 9032b118-519c-49f6-8782-eb97d02a9ca2 () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML =
External Entity references in the default configuration.

The Standard Content Viewer service attempts to resolve XML External Entity=
 references when viewing formatted XML files.

The following Processors attempt to resolve XML External Entity references =
when configured with default property values:

- EvaluateXPath
- EvaluateXQuery
- ValidateXml

Apache NiFi flow configurations that include these Processors are =
vulnerable to malicious XML documents that contain Document Type =
Declarations with XML External Entity references.

The resolution disables Document Type Declarations in the default =
configuration for these Processors, and disallows XML External Entity =
resolution in standard services.

This issue is being tracked as NIFI-9901

Mitigation:

Disabling the Validate DTD Processor Property in EvaluateXPath and =
EvaluateXQuery mitigates the vulnerability for those Processors. No =
mitigation is available for the ValidateXml Processor or the Standard =
Content Viewer.

Credit:

David Handermann at exceptionfactory.com reported this issue.

References:

https://nifi.apache.org/security.html#CVE-2022-29265


[prev in list] [next in list] [prev in thread] [next in thread]