CVE-2024-45477

Apache NiFi: Improper Neutralization of Input in Parameter Description

Severity Score

4.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción para los parámetros en una configuración de contexto de parámetros que es vulnerable a cross-site scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetros, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La actualización a Apache NiFi 1.28.0 o 2.0.0-M4 es la mitigación recomendada.

*Credits: Muhammad Hazim Bin Nor Aizi

CVSS Scores

Apachev3.1 4.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-29 CVE Reserved
2024-10-29 CVE Published
2024-10-29 CVE Updated
2024-11-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9	2024-10-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache NiFi Search vendor "Apache Software Foundation" for product "Apache NiFi"				>= 1.10.0 <= 1.27.0 Search vendor "Apache Software Foundation" for product "Apache NiFi" and version " >= 1.10.0 <= 1.27.0"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache NiFi Search vendor "Apache Software Foundation" for product "Apache NiFi"				>= 2.0.0-M1 <= 2.0.0-M3 Search vendor "Apache Software Foundation" for product "Apache NiFi" and version " >= 2.0.0-M1 <= 2.0.0-M3"		en		Affected