CVE-2023-22832 - Vulnerability Details - OpenCVE

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Nifi

Configuration 1 [-]

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
https://nifi.apache.org/security.html#CVE-2023-22832

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-02-10T07:45:36.964Z

Updated: 2024-08-02T10:20:31.072Z

Reserved: 2023-01-06T20:44:21.364Z

Link: CVE-2023-22832

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-10T08:15:12.843

Modified: 2024-11-21T07:45:29.053

Link: CVE-2023-22832

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22832", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-01-06T20:44:21.364Z", "datePublished": "2023-02-10T07:45:36.964Z", "dateUpdated": "2024-08-02T10:20:31.072Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.19.1", "status": "affected", "version": "1.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yi Cai of Chaitin Tech"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.</div><div>Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.</div><div>The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.</div>"}], "value": "The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.\n\nFlow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.\n\nThe resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-02-10T07:45:36.964Z"}, "references": [{"tags": ["technical-description"], "url": "https://nifi.apache.org/security.html#CVE-2023-22832"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"}], "source": {"defect": ["NIFI-11029"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-01-03T13:00:00.000Z", "value": "reported"}], "title": "Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.072Z"}, "title": "CVE Program Container", "references": [{"tags": ["technical-description", "x_transferred"], "url": "https://nifi.apache.org/security.html#CVE-2023-22832"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC1FB0FD-0D86-47B7-931A-6640115B5052", "versionEndIncluding": "1.19.1", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.\n\nFlow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.\n\nThe resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.\n\n"}, {"lang": "es", "value": "El procesador ExtractCCDAAttributes de Apache NiFi 1.2.0 a 1.19.1 no restringe las referencias a entidades externas XML. Las configuraciones de flujo que incluyen el procesador ExtractCCDAAttributes son vulnerables a documentos XML maliciosos que contienen declaraciones de tipo de documento con referencias a entidades externas XML. La resoluci\u00f3n deshabilita las declaraciones de tipo de documento y no permite la resoluci\u00f3n de entidades externas XML en el procesador ExtractCCDAAttributes."}], "id": "CVE-2023-22832", "lastModified": "2024-11-21T07:45:29.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-10T08:15:12.843", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://nifi.apache.org/security.html#CVE-2023-22832"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nifi.apache.org/security.html#CVE-2023-22832"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}