CVE-2024-37389
Apache NiFi: Improper Neutralization of Input in Parameter Context Description
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
Apache NiFi 1.10.0 a 1.26.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción en la configuración del contexto de parámetros que es vulnerable a Cross site Scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetro, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La mitigación recomendada es actualizar a Apache NiFi 1.27.0 o 2.0.0-M4.
*Credits:
Akbar Kustirama
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-07 CVE Reserved
- 2024-07-08 CVE Published
- 2024-08-10 EPSS Updated
- 2024-09-13 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh | 2024-07-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | >= 1.10.0 < 1.27.0 Search vendor "Apache" for product "Nifi" and version " >= 1.10.0 < 1.27.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc3 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc4 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc5 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone1-rc6 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone2-rc1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone2-rc2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone2-rc3 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone2-rc4 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone3 |
Affected
| ||||||
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | 2.0.0 Search vendor "Apache" for product "Nifi" and version "2.0.0" | milestone3-rc1 |
Affected
| ||||||