CVE-2023-22832
Last modified
CVE-2023-22832 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. . EPSS estimates a 1.41% chance of exploitation in the next 30 days.
Description
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Nifi | >= 1.2.0, <= 1.19.1 |
References
- https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3wMailing List, Vendor Advisory
- https://nifi.apache.org/security.html#CVE-2023-22832Vendor Advisory
- https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3wMailing List, Vendor Advisory
- https://nifi.apache.org/security.html#CVE-2023-22832Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-22832?
How severe is CVE-2023-22832?
How do I fix CVE-2023-22832?
Are you affected by CVE-2023-22832?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST