You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Pierre Villard (Jira)" <ji...@apache.org> on 2023/04/26 09:27:00 UTC

[jira] [Resolved] (NIFI-11484) Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

     [ https://issues.apache.org/jira/browse/NIFI-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pierre Villard resolved NIFI-11484.
-----------------------------------
    Resolution: Won't Do

> Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
> ---------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-11484
>                 URL: https://issues.apache.org/jira/browse/NIFI-11484
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.19.0, 1.19.1
>            Reporter: Jeyassri Balachandran
>            Priority: Minor
>             Fix For: 1.19.1, 1.19.0
>
>
> Backporting the fix from nifi 1.20.
>  
> References: https://issues.apache.org/jira/browse/NIFI-11029
>  
> The {{ExtractCCDAAttributes}} Processor uses a custom {{CDAUtil}} class to load and parse the FlowFile {{{}InputStream{}}}. The {{CDAUtil}} class also includes a {{load}} method that takes a standard DOM {{{}Document{}}}. The Processor should be updated to use the standard {{nifi-xml-processing}} library for parsing the XML prior to calling {{{}CDAUtil.load{}}}.
> In addition to implementing standard XML parsing, the {{ExtractCCDAAttributes}} Processor should be deprecated for removal because the implementation relies on outdated libraries, and the extensive use of FlowFile attributes does not align with best practices for record-oriented data handling.
> h4.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)