CVE-2020-13940 – org.apache.nifi:nifi

Package

Manager: maven
Name: org.apache.nifi:nifi
Vulnerable Version: >=1.0.0 <1.12.0-rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01252 pctl0.78565

Details

Improper Restriction of XML External Entity Reference in Apache NiFi In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Metadata

Created: 2022-01-06T20:41:00Z
Modified: 2021-03-29T16:20:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-q4xf-3pmq-3hw8/GHSA-q4xf-3pmq-3hw8.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-q4xf-3pmq-3hw8
Finding: F083
Auto approve: 1