logo

Database

XML injection (XXE) In org.apache.nifi:nifi

Description

Improper Restriction of XML External Entity Reference in Apache NiFi In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-139402. NVD-2020-139403. OSV-2020-139404. GCVE-2020-13940

References

1. https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a7982. https://nifi.apache.org/security#CVE-2020-13940

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.