Apache NiFi vulnerable to cross-site scripting

CVE-2024-37389
4.6MEDIUM

Key Information

Vendor
Apache
Status
Apache Nifi
Vendor
CVE Published:
8 July 2024

Summary

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Affected Version(s)

Apache NiFi <= 1.26.0

Apache NiFi <= 2.0.0-M3

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Risk change from: 5.4 to: 4.6 - (MEDIUM)

  • Vulnerability published.

  • Vulnerability Reserved.

  • resolved

  • confirmed

  • reported

Collectors

NVD DatabaseMitre Database

Credit

Akbar Kustirama
.