You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/26 21:35:00 UTC
[jira] [Resolved] (NIFI-9676) Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
[ https://issues.apache.org/jira/browse/NIFI-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-9676.
------------------------------------
Fix Version/s: 1.17.0
Assignee: David Handermann (was: Mike Thomsen)
Resolution: Fixed
> Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
> ---------------------------------------------------
>
> Key: NIFI-9676
> URL: https://issues.apache.org/jira/browse/NIFI-9676
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Raman N
> Assignee: David Handermann
> Priority: Minor
> Fix For: 1.17.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> is currently pulling in xmlsec 1.5.8 as a transitive dependency (detected by Trivy). This needs to be upgraded to 2.2.3+ due to CVE-2021-40690.
>
> {code:java}
> {
> "VulnerabilityID": "CVE-2021-40690",
> "PkgName": "org.apache.santuario:xmlsec",
> "PkgPath": "opt/nifi/nifi-toolkit-current/lib/xmlsec-1.5.8.jar",
> "InstalledVersion": "1.5.8",
> "FixedVersion": "2.1.7, 2.2.3",
> "Layer": {
> "Digest": "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
> "DiffID": "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
> },
> "SeveritySource": "ghsa-maven",
> "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-40690",
> "Title": "xml-security: XPath Transform abuse allows for information disclosure",
> "Description": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.",
> "Severity": "HIGH",
> "CweIDs": [
> "CWE-200"
> ],
> "CVSS": {
> "nvd": {
> "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
> "V2Score": 5,
> "V3Score": 7.5
> },
> "redhat": {
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
> "V3Score": 7.5
> }
> },
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)