Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-45477

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

Published

2024-10-29T09:15:07.053

Last Modified

2024-11-21T09:37:50.293

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.6 (MEDIUM)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	nifi	≤ 1.27.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes
Application	apache	nifi	2.0.0	Yes

References

https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/10/28/1 (af854a3a-2127-422b-91ae-364da2661108)