CVE-2021-44145

CWE-200 — Information Exposure5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 45.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedDec 17

Latest updateJan 5

Description

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/nifi0.1.0 — 1.15.1

▶Mavenorg.apache.nifi:nifi< 1.15.1

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi — 1.15.0

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi↗2022-01-05

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi↗2022-01-05

▶

CVEList

Apache NiFi information disclosure by XXE↗2021-12-17

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2021-44145↗

▶