CVE-2023-49145 – org.apache.nifi:nifi-jolt-transform-json-ui

Package

Manager: maven
Name: org.apache.nifi:nifi-jolt-transform-json-ui
Vulnerable Version: >=0 <1.24.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00218 pctl0.44442

Details

Improper Neutralization of Input in Advanced User Interface for Jolt Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Metadata

Created: 2023-11-28T00:30:33Z
Modified: 2023-11-28T20:59:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-68pr-6fjc-wmgm/GHSA-68pr-6fjc-wmgm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-68pr-6fjc-wmgm
Finding: F008
Auto approve: 1