CVE-2019-10080

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 19 November 2019

Summary

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Affected Version(s)

Apache NiFi Apache NiFi 1.3.0 to 1.9.2

References

https://lists.apache.org/thread.html/rca37935d661f4689cb4...

mailing-listx_refsource_MLIST

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

https://nifi.apache.org/security.html#CVE-2019-10080

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2019
Vulnerability Reserved
Mar 26, 2019

.