oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-45477: Apache NiFi: Improper Neutralization of Input in Parameter Description

From: David Handermann <exceptionfactory () apache org>
Date: Mon, 28 Oct 2024 19:34:26 +0000
Affected versions:

- Apache NiFi 1.10.0 through 1.27.0
- Apache NiFi 2.0.0-M1 through 2.0.0-M3

Description:

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a 
Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to 
configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the 
session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

This issue is being tracked as NIFI-13675 

Credit:

Muhammad Hazim Bin Nor Aizi (finder)

References:

https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45477
https://issues.apache.org/jira/browse/NIFI-13675

Timeline:

2024-08-23: reported
2024-08-23: confirmed
2024-08-25: resolved
Previous By Date Next
Previous By Thread Next

Current thread: