CVE-2018-1309 – org.apache.nifi:nifi-standard-processors

Package

Manager: maven
Name: org.apache.nifi:nifi-standard-processors
Vulnerable Version: >=0.1.0 <1.6.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02856 pctl0.85728

Details

Improper Restriction of XML External Entity Reference in Apache NiFi Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Metadata

Created: 2022-05-14T03:16:17Z
Modified: 2023-09-12T19:08:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-42wx-65g4-5cxv/GHSA-42wx-65g4-5cxv.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-42wx-65g4-5cxv
Finding: F083
Auto approve: 1