CVE-2022-29265

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl	Mailing List Mitigation Vendor Advisory
https://nifi.apache.org/security.html#CVE-2022-29265	Vendor Advisory
https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl	Mailing List Mitigation Vendor Advisory
https://nifi.apache.org/security.html#CVE-2022-29265	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:58

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl - Mailing List, Mitigation, Vendor Advisory~~	() https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl - Mailing List, Mitigation, Vendor Advisory
References	~~() https://nifi.apache.org/security.html#CVE-2022-29265 - Vendor Advisory~~	() https://nifi.apache.org/security.html#CVE-2022-29265 - Vendor Advisory

10 May 2022, 13:25

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
CWE		CWE-611
CPE		cpe:2.3:a:apache:nifi::::::::
References	~~(MISC) https://nifi.apache.org/security.html#CVE-2022-29265 -~~	(MISC) https://nifi.apache.org/security.html#CVE-2022-29265 - Vendor Advisory
References	~~(CONFIRM) https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl -~~	(CONFIRM) https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl - Mailing List, Mitigation, Vendor Advisory

30 Apr 2022, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-30 08:15

Updated : 2024-11-21 06:58

NVD link : CVE-2022-29265

Mitre link : CVE-2022-29265

CVE.ORG link : CVE-2022-29265

JSON object : View

Products Affected

apache

nifi

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2022-29265", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-04-30T08:15:06.910", "references": [{"url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://nifi.apache.org/security.html#CVE-2022-29265", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://nifi.apache.org/security.html#CVE-2022-29265", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-611"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services."}, {"lang": "es", "value": "Varios componentes de Apache NiFi versiones 0.0.1 a 1.16.0, no restringen las referencias de tipo XML External Entity en la configuraci\u00f3n por defecto. El servicio Standard Content Viewer intenta resolver las referencias a Entidades Externas XML cuando son visualizados archivos XML formateados. Los siguientes procesadores intentan resolver las referencias a entidades externas XML cuando est\u00e1n configurados con los valores predeterminados de las propiedades: - EvaluateXPath - EvaluateXQuery - ValidateXml Las configuraciones de flujo de Apache NiFi que incluyen estos procesadores son vulnerables a documentos XML maliciosos que contienen Declaraciones de Tipo de Documento con referencias a Entidades Externas XML. La resoluci\u00f3n deshabilita las Declaraciones de Tipo de Documento en la configuraci\u00f3n por defecto de estos Procesadores, y deshabilita la resoluci\u00f3n de Entidades Externas XML en los servicios est\u00e1ndar"}], "lastModified": "2024-11-21T06:58:50.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54E19D0B-958C-4FDC-B6B7-512AC10DB295", "versionEndIncluding": "1.16.0", "versionStartIncluding": "0.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-29265

7.5^/10

5.0^/10

Attach tags to `CVE-2022-29265`