Apache NiFi vulnerable to cross-site scripting

CVE-2024-37389

4.6MEDIUM

Key Information

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 8 July 2024

Summary

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Affected Version(s)

Apache NiFi <= 1.26.0

Apache NiFi <= 2.0.0-M3

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: 5.4 to: 4.6 - (MEDIUM)
Sep 13, 2024
Vulnerability published.
Jul 8, 2024
Vulnerability Reserved.
Jun 7, 2024
resolved
Jun 7, 2024
confirmed
Jun 7, 2024
reported
Jun 7, 2024

Collectors

NVD DatabaseMitre Database

Credit

Akbar Kustirama