Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/10/28/1 |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 09:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Nov 2024, 15:03
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:* |
|
First Time |
Apache nifi
Apache |
|
References | () https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 - Mailing List, Vendor Advisory |
29 Oct 2024, 14:34
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
29 Oct 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 09:15
Updated : 2024-11-21 09:37
NVD link : CVE-2024-45477
Mitre link : CVE-2024-45477
CVE.ORG link : CVE-2024-45477
JSON object : View
Products Affected
apache
- nifi
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')