CVE-2017-12623
MEDIUMApache NiFi 1.0.0-1.3.0 - Authenticated XML External Entity Injection via Template Upload
Title source: llmDescription
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://nifi.apache.org/security.html#CVE-2017-12623
Scores
CVSS v3
6.5
EPSS
0.0030
EPSS Percentile
53.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (9)
apache/nifi
1.0.0
apache/nifi
1.0.1
apache/nifi
1.1.0
apache/nifi
1.1.1
apache/nifi
1.1.2
apache/nifi
1.2.0
apache/nifi
1.3.0
Apache Software Foundation/Apache NiFi
1.0.0 to 1.3.0
org.apache.nifi/nifi
1.0.0 - 1.4.0Maven
Published
Oct 10, 2017
Tracked Since
Feb 18, 2026