CVE-2017-12623

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Published: Oct 10, 2017
Updated: May 9, 2024
CVE: CVE-2017-12623
GHSA: GHSA-qj7f-j6h9-g5rq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
apache / nifi	1.1.0	1.1.0.x
apache / nifi	1.1.1	1.1.1.x
apache / nifi	1.0.0	1.0.0.x
apache / nifi	1.1.2	1.1.2.x
apache / nifi	1.2.0	1.2.0.x
apache / nifi	1.0.1	1.0.1.x
apache / nifi	1.3.0	1.3.0.x
org.apache.nifi / nifi	1.0.0	1.4.0

https://nifi.apache.org/security.html#CVE-2017-12623

Vulnerability Database

289,697

CVE-2017-12623