CVE-2020-13940

MEDIUM5.5EPSS 0.96%

Improper Restriction of XML External Entity Reference in Apache NiFi

Published: 1/6/2022Modified: 9/15/2025

Description

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Affected packages (2)

Bitnami/nifi>= 1.0.0, <= 1.11.4
Maven/org.apache.nifi:nifi>= 1.0.0, < 1.12.0-RC1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13940
WEBhttps://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798
WEBhttps://nifi.apache.org/security#CVE-2020-13940