logo

Database

XML injection (XXE) In org.apache.nifi:nifi

Description

Apache NiFi information disclosure by XXE The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-100802. NVD-2019-100803. OSV-2019-100804. GCVE-2019-10080

References

1. https://github.com/apache/nifi/pull/35072. https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E3. https://nifi.apache.org/security.html#CVE-2019-100804. https://www.oracle.com/security-alerts/cpuApr2021.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.