=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN061

_____________________________________________________________________

DATE                : 10/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NiFi versions prior to 
                                 1.20.0.

=====================================================================
https://nifi.apache.org/security.html#CVE-2023-22832
_____________________________________________________________________


CVE-2023-22832: Improper Restriction of XML External Entity References 
in ExtractCCDAAttributes


Severity: Moderate

Versions Affected:

     Apache NiFi 1.2.0 - 1.19.1

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 
does not restrict XML External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are 
vulnerable to malicious XML documents that contain Document Type 
Declarations with XML External Entity references.

The resolution disables Document Type Declarations and disallows XML 
External Entity resolution in the ExtractCCDAAttributes Processor.

Mitigation: Upgrading to NiFi 1.20.0 disables Document Type Declarations 
in the default configuration for ExtractCCDAAttributes.


Credit: This issue was discovered by Yi Cai of Chaitin Tech

CVE Link: Mitre Database CVE-2023-22832

NiFi Jira: NIFI-11029

NiFi PR: PR 6828

Released: 2023-02-09



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================