CVE-2019-10080
MEDIUMApache NiFi 1.3.0-1.9.2 - XML External Entity Injection in XMLFileLookupService
Title source: llmDescription
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Vendor Advisory x_refsource_confirm
https://nifi.apache.org/security.html#CVE-2019-10080
Scores
CVSS v3
6.5
EPSS
0.0042
EPSS Percentile
61.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (3)
apache/nifi
1.3.0 - 1.9.2
org.apache.nifi/nifi
1.3.0 - 1.10.0Maven
org.apache.nifi/nifi-security
1.3.0 - 1.10.0Maven
Published
Nov 19, 2019
Tracked Since
Feb 18, 2026