// For flags

CVE-2023-49145

Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary
JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Apache NiFi 0.7.0 a 1.23.2 incluye el procesador JoltTransformJSON, que proporciona una interfaz de usuario de configuración avanzada que es vulnerable a Cross Site Scripting basado en DOM. Si un usuario autenticado, que está autorizado a configurar un procesador JoltTransformJSON, visita una URL manipulada, entonces se puede ejecutar código JavaScript arbitrario dentro del contexto de sesión del usuario autenticado. La mitigación recomendada es actualizar a Apache NiFi 1.24.0 o 2.0.0-M1.

*Credits: Dr. Oliver Matula, DB Systel GmbH
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-11-22 CVE Reserved
  • 2023-11-27 CVE Published
  • 2023-12-30 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Nifi
Search vendor "Apache" for product "Nifi"
 >= 0.7.0 < 1.24.0
Search vendor "Apache" for product "Nifi" and version " >= 0.7.0 < 1.24.0"
-
Affected