You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Pierre Villard (Jira)" <ji...@apache.org> on 2023/04/26 09:26:00 UTC
[jira] [Commented] (NIFI-11484) Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
[ https://issues.apache.org/jira/browse/NIFI-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716626#comment-17716626 ]
Pierre Villard commented on NIFI-11484:
---------------------------------------
As reported in [https://nifi.apache.org/security.html] users are requested to upgrade to NiFi 1.20+. We don't have a plan to backport this into NiFi 1.19.x line.
> Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
> ---------------------------------------------------------------------------------------------------
>
> Key: NIFI-11484
> URL: https://issues.apache.org/jira/browse/NIFI-11484
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.19.0, 1.19.1
> Reporter: Jeyassri Balachandran
> Priority: Minor
> Fix For: 1.19.0, 1.19.1
>
>
> Backporting the fix from nifi 1.20.
>
> References: https://issues.apache.org/jira/browse/NIFI-11029
>
> The {{ExtractCCDAAttributes}} Processor uses a custom {{CDAUtil}} class to load and parse the FlowFile {{{}InputStream{}}}. The {{CDAUtil}} class also includes a {{load}} method that takes a standard DOM {{{}Document{}}}. The Processor should be updated to use the standard {{nifi-xml-processing}} library for parsing the XML prior to calling {{{}CDAUtil.load{}}}.
> In addition to implementing standard XML parsing, the {{ExtractCCDAAttributes}} Processor should be deprecated for removal because the implementation relies on outdated libraries, and the extensive use of FlowFile attributes does not align with best practices for record-oriented data handling.
> h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)