CVE-2023-22832: XML External Entity Reference in Apache NiFi

February 10, 2023 (updated October 14, 2024)

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

References

github.com/advisories/GHSA-hxjp-q6c3-38fx
github.com/apache/nifi
github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8
lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
nifi.apache.org/security.html
nvd.nist.gov/vuln/detail/CVE-2023-22832

Code Behaviors & Features

Detect and mitigate CVE-2023-22832 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →