You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/26 21:35:00 UTC

[jira] [Resolved] (NIFI-9676) Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690

     [ https://issues.apache.org/jira/browse/NIFI-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Handermann resolved NIFI-9676.
------------------------------------
    Fix Version/s: 1.17.0
         Assignee: David Handermann  (was: Mike Thomsen)
       Resolution: Fixed

> Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
> ---------------------------------------------------
>
>                 Key: NIFI-9676
>                 URL: https://issues.apache.org/jira/browse/NIFI-9676
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Raman N
>            Assignee: David Handermann
>            Priority: Minor
>             Fix For: 1.17.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> is currently pulling in xmlsec 1.5.8 as a transitive dependency (detected by Trivy). This needs to be upgraded to 2.2.3+ due to CVE-2021-40690.
>  
> {code:java}
>         {
>           "VulnerabilityID": "CVE-2021-40690",
>           "PkgName": "org.apache.santuario:xmlsec",
>           "PkgPath": "opt/nifi/nifi-toolkit-current/lib/xmlsec-1.5.8.jar",
>           "InstalledVersion": "1.5.8",
>           "FixedVersion": "2.1.7, 2.2.3",
>           "Layer": {
>             "Digest": "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
>             "DiffID": "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
>           },
>           "SeveritySource": "ghsa-maven",
>           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-40690",
>           "Title": "xml-security: XPath Transform abuse allows for information disclosure",
>           "Description": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.",
>           "Severity": "HIGH",
>           "CweIDs": [
>             "CWE-200"
>           ],
>           "CVSS": {
>             "nvd": {
>               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
>               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
>               "V2Score": 5,
>               "V3Score": 7.5
>             },
>             "redhat": {
>               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
>               "V3Score": 7.5
>             }
>           },
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)