Apache NiFi information disclosure by XXE
CVE-2021-44145

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 17 December 2021

Summary

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Affected Version(s)

Apache NiFi Apache NiFi <= 1.15.0

References

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2021/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2021
Vulnerability Reserved
Nov 22, 2021

Credit

This issue was discovered by DangKhai at Viettel Cyber Security.