Home > Vulnerability Database > CVE-2023-22832

Mend.io Vulnerability Database

CVE-2023-22832

Good to know:

Date: February 10, 2023

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Language: Java

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-22832

Url: https://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8

Url: https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w

Url: https://nifi.apache.org/security.html#CVE-2023-22832

Url: https://www.mend.io/vulnerability-database/CVE-2023-22832

Severity Score

7.5

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

Upgrade Version

Upgrade to version org.apache.nifi:nifi-ccda-processors:1.20.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-22832

Good to know:

Date: February 10, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?