CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w https://nifi.apache.org/security.html#CVE-2023-22832 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2022-33140 – Improper Neutralization of Command Elements in Shell User Group Provider
https://notcve.org/view.php?id=CVE-2022-33140
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. • https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr https://nifi.apache.org/security.html#CVE-2022-33140 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. Varios componentes de Apache NiFi versiones 0.0.1 a 1.16.0, no restringen las referencias de tipo XML External Entity en la configuración por defecto. • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl https://nifi.apache.org/security.html#CVE-2022-29265 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2022-26850 – Insufficiently protected credentials
https://notcve.org/view.php?id=CVE-2022-26850
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. Cuando son creadas o actualizadas las credenciales para el acceso de un solo usuario, Apache NiFi escribe una copia de la configuración de los proveedores de identidad de inicio de sesión en el directorio temporal del sistema operativo. • http://www.openwall.com/lists/oss-security/2022/04/06/2 https://nifi.apache.org/security.html#CVE-2022-26850 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2021-44145 – Apache NiFi information disclosure by XXE
https://notcve.org/view.php?id=CVE-2021-44145
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. En el procesador TransformXML de Apache NiFi versiones anteriores a 1.15.1, un usuario autenticado podía configurar un archivo XSLT que, si incluía llamadas a entidades externas maliciosas, podía revelar información confidencial • http://www.openwall.com/lists/oss-security/2021/12/17/1 https://nifi.apache.org/security.html#1.15.1-vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •