CVE-2024-45477
MEDIUM4.6EPSS 1.3%Apache NiFi: Improper Neutralization of Input in Parameter Description
發布日:2024/10/29修改日:2026/4/13
描述
Apache NiFi 1.10.0 through 1.27.0 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or higher is the recommended mitigation.
受影響套件(2)
- Bitnami/nifi>= 1.10.0, < 1.28.0
- Maven/org.apache.nifi:nifi-web-ui>= 1.10.0, < 1.28.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-45477
- PATCHhttps://github.com/apache/nifi
- WEBhttps://github.com/apache/nifi/blob/rel/nifi-1.27.0/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-parameter-contexts.js#L2197
- WEBhttps://github.com/apache/nifi/commit/153c87a7daaeebea9b119066285b840ea4056e09
- WEBhttps://github.com/apache/nifi/pull/9195
- WEBhttps://issues.apache.org/jira/browse/NIFI-13675
- WEBhttps://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9
- WEBhttps://nifi.apache.org/documentation/security/#CVE-2024-45477
- WEBhttp://www.openwall.com/lists/oss-security/2024/10/28/1