[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-49145: Apache NiFi: Improper Neutralization of Input in Advanced User Interf
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2023-11-27 21:58:37
Message-ID: e9bc0330-6574-e4e4-711e-c47450c53e53 () apache ! org
[Download RAW message or body]

Affected versions:

- Apache NiFi 0.7.0 through 1.23.2

Description:

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an \
advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If \
an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a \
crafted URL, then arbitrary JavaScript code can be executed within the session context of the \
authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

This issue is being tracked as NIFI-12403 

Credit:

Dr. Oliver Matula, DB Systel GmbH (finder)

References:

https://nifi.apache.org/security.html#CVE-2023-49145
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-49145
https://issues.apache.org/jira/browse/NIFI-12403

Timeline:

2023-11-22: reported
2023-11-22: confirmed
2023-11-22: resolved


[prev in list] [next in list] [prev in thread] [next in thread]