You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ex...@apache.org on 2023/02/09 23:09:20 UTC
[nifi-site] branch main updated: NIFI-11029 Published description of CVE-2023-22832
This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/main by this push:
new 74f587d NIFI-11029 Published description of CVE-2023-22832
74f587d is described below
commit 74f587d7e23961a52f82e144f588e7e81852d0fc
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Thu Feb 9 17:09:09 2023 -0600
NIFI-11029 Published description of CVE-2023-22832
---
source/security.html | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/source/security.html b/source/security.html
index 36df249..bdecd15 100644
--- a/source/security.html
+++ b/source/security.html
@@ -66,6 +66,42 @@ title: Apache NiFi Security Reports
</div>
</div>
<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.20.0" href="#1.20.0">Fixed in Apache NiFi 1.20.0</a></h2>
+ </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.20.0-vulnerabilities" href="#1.20.0-vulnerabilities">Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2023-22832" href="#CVE-2023-22832"><strong>CVE-2023-22832</strong></a>: Improper Restriction of XML External Entity References in ExtractCCDAAttributes</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.2.0 - 1.19.1</li>
+ </ul>
+ </p>
+ <p>The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.</p>
+ <p>Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.</p>
+ <p>The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.</p>
+ <p>Mitigation: Upgrading to NiFi 1.20.0 disables Document Type Declarations in the default configuration for ExtractCCDAAttributes.</p>
+ <p>Credit: This issue was discovered by Yi Cai of Chaitin Tech</p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22832" target="_blank">Mitre Database CVE-2023-22832</a></p>
+ <p>
+ NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-11029" target="_blank">NIFI-11029</a>
+ </p>
+ <p>
+ NiFi PR: <a href="https://github.com/apache/nifi/pull/6828" target="_blank">PR 6828</a>
+ </p>
+ <p>Released: 2023-02-09</p>
+ </div>
+</div>
+<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
<h2><a id="1.16.3" href="#1.16.3">Fixed in Apache NiFi 1.16.3</a></h2>