CVE-2023-22832
HIGHApache NiFi 1.2.0-1.19.1 - XML External Entity Injection in ExtractCCDAAttributes Processor
Title source: llmDescription
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
References (2)
Core 2
Core References
Vendor Advisory technical-description
https://nifi.apache.org/security.html#CVE-2023-22832
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
Scores
CVSS v3
7.5
EPSS
0.0204
EPSS Percentile
84.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (2)
apache/nifi
1.2.0 - 1.19.1
org.apache.nifi/nifi-ccda-processors
1.2.0 - 1.20.0Maven
Published
Feb 10, 2023
Tracked Since
Feb 18, 2026