CVE-2023-22832

Sažetak

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Reference

https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
https://nifi.apache.org/security.html#CVE-2023-22832
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
https://nifi.apache.org/security.html#CVE-2023-22832

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

24-03-2025 - 17:15

Objavljeno

10-02-2023 - 08:15