Apache NiFi vulnerable to cross-site scripting
CVE-2024-37389

4.6MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 8 July 2024

Summary

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Affected Version(s)

Apache NiFi 1.10.0 <= 1.26.0

Apache NiFi 2.0.0-M1 <= 2.0.0-M3

References

https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hd...

vendor-advisory

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 8, 2024
Vulnerability Reserved
Jun 7, 2024

Credit

Akbar Kustirama