Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-22832

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Published

2023-02-10T08:15:12.843

Last Modified

2025-03-24T17:15:14.107

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-611
Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	nifi	≤ 1.19.1	Yes

References

https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w Mailing List, Vendor Advisory ([email protected])
https://nifi.apache.org/security.html#CVE-2023-22832 Vendor Advisory ([email protected])
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://nifi.apache.org/security.html#CVE-2023-22832 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)