CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49145 – Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
https://notcve.org/view.php?id=CVE-2023-49145
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. Apache NiFi 0.7.0 a 1.23.2 incluye el procesador JoltTransformJSON, que proporciona una interfaz de usuario de configuración avanzada que es vulnerable a Cross Site Scripting basado en DOM. Si un usuario autenticado, que está autorizado a configurar un procesador JoltTransformJSON, visita una URL manipulada, entonces se puede ejecutar código JavaScript arbitrario dentro del contexto de sesión del usuario autenticado. • http://www.openwall.com/lists/oss-security/2023/11/27/5 https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o https://nifi.apache.org/security.html#CVE-2023-49145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36542 – Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources
https://notcve.org/view.php?id=CVE-2023-36542
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation. • http://seclists.org/fulldisclosure/2023/Jul/43 http://www.openwall.com/lists/oss-security/2023/07/29/1 https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof https://nifi.apache.org/security.html#CVE-2023-36542 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 89%CPEs: 1EXPL: 2CVE-2023-34468 – Apache NiFi: Potential Code Injection with Database Services using H2
https://notcve.org/view.php?id=CVE-2023-34468
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://github.com/mbadanoiu/CVE-2023-34468 http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html http://www.openwall.com/lists/oss-security/2023/06/12/3 https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 https://nifi.apache.org/security.html#CVE-2023-34468 https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation https://issues.apache.org/jira/browse/NIFI-11653 https://nifi.apache.org/secu • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w https://nifi.apache.org/security.html#CVE-2023-22832 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. Varios componentes de Apache NiFi versiones 0.0.1 a 1.16.0, no restringen las referencias de tipo XML External Entity en la configuración por defecto. • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl https://nifi.apache.org/security.html#CVE-2022-29265 • CWE-611: Improper Restriction of XML External Entity Reference •