CVE-2022-29265

Improper Restriction of XML External Entity References in Multiple Components

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

Varios componentes de Apache NiFi versiones 0.0.1 a 1.16.0, no restringen las referencias de tipo XML External Entity en la configuración por defecto. El servicio Standard Content Viewer intenta resolver las referencias a Entidades Externas XML cuando son visualizados archivos XML formateados. Los siguientes procesadores intentan resolver las referencias a entidades externas XML cuando están configurados con los valores predeterminados de las propiedades: - EvaluateXPath - EvaluateXQuery - ValidateXml Las configuraciones de flujo de Apache NiFi que incluyen estos procesadores son vulnerables a documentos XML maliciosos que contienen Declaraciones de Tipo de Documento con referencias a Entidades Externas XML. La resolución deshabilita las Declaraciones de Tipo de Documento en la configuración por defecto de estos Procesadores, y deshabilita la resolución de Entidades Externas XML en los servicios estándar

*Credits: David Handermann at exceptionfactory.com reported this issue.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-14 CVE Reserved
2022-04-30 CVE Published
2024-04-26 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl	2022-05-10
https://nifi.apache.org/security.html#CVE-2022-29265	2022-05-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Nifi Search vendor "Apache" for product "Nifi"				>= 0.0.1 <= 1.16.0 Search vendor "Apache" for product "Nifi" and version " >= 0.0.1 <= 1.16.0"		-		Affected