The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.
Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.
The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w | Mailing List Vendor Advisory |
https://nifi.apache.org/security.html#CVE-2023-22832 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-02-10T07:45:36.964Z
Updated:
Reserved: 2023-01-06T20:44:21.364Z
Link: CVE-2023-22832
JSON object: View
NVD Information
Status : Modified
Published: 2023-02-10T08:15:12.843
Modified: 2023-11-07T04:07:26.883
Link: CVE-2023-22832
JSON object: View
Redhat Information
No data.
CWE