CVE-2023-22832

HIGH7.5EPSS 2.0%

Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

發布日:2023/2/10修改日:2025/9/15

描述

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

受影響套件(2)

Bitnami/nifi>= 1.2.0, <= 1.19.1
Maven/org.apache.nifi:nifi-ccda-processors>= 1.2.0, < 1.20.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-22832
PATCHhttps://github.com/apache/nifi
WEBhttps://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8
WEBhttps://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
WEBhttps://nifi.apache.org/security.html#CVE-2023-22832