CVE-2022-29265

CWE-611 — XML External Entity (XXE)5 documents5 sources

Severity

7.5HIGH

EPSS

2.1%

top 15.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Nifi Apache Nifi

Timeline

PublishedApr 30

Latest updateMay 1

Description

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to mal…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi0.0.1 — 1.16.1

▶NVDapache/nifi0.0.1 — 1.16.0

▶CVEListV5apache_software_foundation/apache_nifi0.0.1 to 1.16.0 — 0.0.1 to 1.16.0

🔴Vulnerability Details

GHSA

Multiple components in Apache NiFi do not restrict XML External Entity references↗2022-05-01

▶

OSV

Multiple components in Apache NiFi do not restrict XML External Entity references↗2022-05-01

▶

CVEList

Improper Restriction of XML External Entity References in Multiple Components↗2022-04-30

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2022-29265↗

▶