CVE-2019-10080 — XML External Entity (XXE) Injection in Apache Nifi

CWE-611 — XML External Entity (XXE) Injection6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 38.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedNov 19

Latest updateApr 15

Description

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/nifi1.3.0 — 1.9.2

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.3.0 to 1.9.2

🔴Vulnerability Details

OSV

Apache NiFi information disclosure by XXE↗2019-12-02

▶

GHSA

Apache NiFi information disclosure by XXE↗2019-12-02

▶

CVEList

CVE-2019-10080: The XMLFileLookupService in NiFi versions 1↗2019-11-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Siebel CRM Risk Matrix: EAI (Jersey) — CVE-2019-10080↗2021-04-15

▶

Apache

Apache nifi: CVE-2019-10080↗

▶