Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
CVE-2023-49145

7.9HIGH

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 27 November 2023

Summary

Apache NiFi versions 0.7.0 through 1.23.2 contain a security flaw in the JoltTransformJSON Processor, leading to a potential DOM-based cross-site scripting vulnerability. When an authenticated user, permitted to configure this processor, interacts with a maliciously crafted URL, it can allow unauthorized execution of arbitrary JavaScript within the user's session. To mitigate this risk, upgrading to Apache NiFi version 1.24.0 or 2.0.0-M1 is highly recommended.

Affected Version(s)

Apache NiFi 0.7.0 <= 1.23.2

References

https://nifi.apache.org/security.html#CVE-2023-49145

vendor-advisory

https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/11/27/5

CVSS V3.1

Score:

7.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 27, 2023
Vulnerability Reserved
Nov 22, 2023

Credit

Dr. Oliver Matula, DB Systel GmbH