Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00Mnd4LTY1ZzQtNWN4ds4AAWtc
Improper Restriction of XML External Entity Reference in Apache NiFi
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Permalink: https://github.com/advisories/GHSA-42wx-65g4-5cxvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Mnd4LTY1ZzQtNWN4ds4AAWtc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-42wx-65g4-5cxv, CVE-2018-1309
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1309
- https://nifi.apache.org/security.html#CVE-2018-1309
- https://github.com/apache/nifi/commit/28067a29fd13cdf8e21b440fc65c6dd67872522f
- https://issues.apache.org/jira/browse/NIFI-4869
- https://github.com/advisories/GHSA-42wx-65g4-5cxv
Blast Radius: 19.4
Affected Packages
maven:org.apache.nifi:nifi-standard-processors
Dependent packages: 9Dependent repositories: 95
Downloads:
Affected Version Ranges: >= 0.1.0, <= 1.5.0
Fixed in: 1.6.0
All affected versions: 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.5.0
All unaffected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0