Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-37389

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Published

2024-07-08T08:15:10.847

Last Modified

2024-11-21T09:23:46.127

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.6 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	nifi	< 1.27.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes

References

https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2024/07/08/1 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh Mailing List (af854a3a-2127-422b-91ae-364da2661108)