CVE-2023-22832

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.

The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Published: Feb 10, 2023
Updated: May 9, 2024
CVE: CVE-2023-22832
GHSA: GHSA-hxjp-q6c3-38fx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
apache / nifi	1.2.0	1.19.1.x
org.apache.nifi / nifi	1.2.0	1.20.0

https://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
https://nifi.apache.org/security.html#CVE-2023-22832

Vulnerability Database

289,599

CVE-2023-22832