You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ex...@apache.org on 2023/02/09 23:09:20 UTC

[nifi-site] branch main updated: NIFI-11029 Published description of CVE-2023-22832

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 74f587d  NIFI-11029 Published description of CVE-2023-22832
74f587d is described below

commit 74f587d7e23961a52f82e144f588e7e81852d0fc
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Thu Feb 9 17:09:09 2023 -0600

    NIFI-11029 Published description of CVE-2023-22832
---
 source/security.html | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/source/security.html b/source/security.html
index 36df249..bdecd15 100644
--- a/source/security.html
+++ b/source/security.html
@@ -66,6 +66,42 @@ title: Apache NiFi Security Reports
     </div>
 </div>
 <div class="medium-space"></div>
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.20.0" href="#1.20.0">Fixed in Apache NiFi 1.20.0</a></h2>
+    </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.20.0-vulnerabilities" href="#1.20.0-vulnerabilities">Vulnerabilities</a></h2>
+    </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+    <div class="large-12 columns">
+        <p><a id="CVE-2023-22832" href="#CVE-2023-22832"><strong>CVE-2023-22832</strong></a>: Improper Restriction of XML External Entity References in ExtractCCDAAttributes</p>
+        <p>Severity: <strong>Moderate</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 1.2.0 - 1.19.1</li>
+        </ul>
+        </p>
+        <p>The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.</p>
+        <p>Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.</p>
+        <p>The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.</p>
+        <p>Mitigation: Upgrading to NiFi 1.20.0 disables Document Type Declarations in the default configuration for ExtractCCDAAttributes.</p>
+        <p>Credit: This issue was discovered by Yi Cai of Chaitin Tech</p>
+        <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22832" target="_blank">Mitre Database CVE-2023-22832</a></p>
+        <p>
+            NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-11029" target="_blank">NIFI-11029</a>
+        </p>
+        <p>
+            NiFi PR: <a href="https://github.com/apache/nifi/pull/6828" target="_blank">PR 6828</a>
+        </p>
+        <p>Released: 2023-02-09</p>
+    </div>
+</div>
+<div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">
         <h2><a id="1.16.3" href="#1.16.3">Fixed in Apache NiFi 1.16.3</a></h2>