[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-29265: Apache NiFi: Improper Restriction of XML External Entity References i
From: David Handermann <exceptionfactory () apache ! org>
Date: 2022-04-29 20:28:54
Message-ID: 9032b118-519c-49f6-8782-eb97d02a9ca2 () apache ! org
[Download RAW message or body]
Severity: moderate
Description:
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML =
External Entity references in the default configuration.
The Standard Content Viewer service attempts to resolve XML External Entity=
references when viewing formatted XML files.
The following Processors attempt to resolve XML External Entity references =
when configured with default property values:
- EvaluateXPath
- EvaluateXQuery
- ValidateXml
Apache NiFi flow configurations that include these Processors are =
vulnerable to malicious XML documents that contain Document Type =
Declarations with XML External Entity references.
The resolution disables Document Type Declarations in the default =
configuration for these Processors, and disallows XML External Entity =
resolution in standard services.
This issue is being tracked as NIFI-9901
Mitigation:
Disabling the Validate DTD Processor Property in EvaluateXPath and =
EvaluateXQuery mitigates the vulnerability for those Processors. No =
mitigation is available for the ValidateXml Processor or the Standard =
Content Viewer.
Credit:
David Handermann at exceptionfactory.com reported this issue.
References:
https://nifi.apache.org/security.html#CVE-2022-29265
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic