CVE Vulnerability

CVE-2023-22832

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w Mailing List Vendor Advisory
https://nifi.apache.org/security.html#CVE-2023-22832 Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Information

Published : 2023-02-10 08:15

Updated : 2023-02-17 06:30

NVD link : CVE-2023-22832

Mitre link : CVE-2023-22832

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference