'[oss-security] CVE-2023-22832: Apache NiFi: Improper Restriction of XML External Entity References i'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-22832: Apache NiFi: Improper Restriction of XML External Entity References i
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2023-02-09 23:12:45
Message-ID: 4796f6ee-fab4-b33f-e179-774ea70477aa () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML \
External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to \
malicious XML documents that contain Document Type Declarations with XML External Entity \
references.

The resolution disables Document Type Declarations and disallows XML External Entity resolution \
in the ExtractCCDAAttributes Processor.

This issue is being tracked as NIFI-11029 

Credit:

Yi Cai of Chaitin Tech (finder)

References:

https://nifi.apache.org/security.html#CVE-2023-22832
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22832
https://issues.apache.org/jira/browse/NIFI-11029

Timeline:

2023-01-03: reported

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic