CVE-2023-49145 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-49145

CVE-2023-49145

November 27, 2023

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Related Resources (8)

https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o

https://issues.apache.org/jira/browse/NIFI-12403

https://nvd.nist.gov/vuln/detail/CVE-2023-49145

https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f

https://nifi.apache.org/security.html#CVE-2023-49145

http://www.openwall.com/lists/oss-security/2023/11/27/5

https://github.com/apache/nifi

https://github.com/apache/nifi/pull/8060

Do you need more information?

CVSS v4

Base Score:

8.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

LOW

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

LOW

CVSS v3

Base Score:

7.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.29

Products

Solutions

Resources

Company

Compare

Developer Tools