CVE-2023-22832

EPSS 0.13%
Published 10.02.2023 08:15:12
Last modified 24.03.2025 17:15:14
Source security@apache.org
Teams watchlist Login
Open Login

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.

The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Nifi Version >= 1.2.0 <= 1.19.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.292

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w

Vendor Advisory

Mailing List

https://nifi.apache.org/security.html#CVE-2023-22832

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-22832

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22832

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22832

EUVD