CVE-2024-45477

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9

Configurations

No configuration.

History

29 Oct 2024, 14:34

Type	Values Removed	Values Added
Summary		(es) Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción para los parámetros en una configuración de contexto de parámetros que es vulnerable a cross-site scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetros, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La actualización a Apache NiFi 1.28.0 o 2.0.0-M4 es la mitigación recomendada.

29 Oct 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-29 09:15

Updated : 2024-10-29 14:34

NVD link : CVE-2024-45477

Mitre link : CVE-2024-45477

CVE.ORG link : CVE-2024-45477

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.6 /10