CVE-2024-45477

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*

History

21 Nov 2024, 09:37

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/10/28/1 -

08 Nov 2024, 15:03

Type Values Removed Values Added
CPE cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*
First Time Apache nifi
Apache
References () https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 - () https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 - Mailing List, Vendor Advisory

29 Oct 2024, 14:34

Type Values Removed Values Added
Summary
  • (es) Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción para los parámetros en una configuración de contexto de parámetros que es vulnerable a cross-site scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetros, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La actualización a Apache NiFi 1.28.0 o 2.0.0-M4 es la mitigación recomendada.

29 Oct 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 09:15

Updated : 2024-11-21 09:37


NVD link : CVE-2024-45477

Mitre link : CVE-2024-45477

CVE.ORG link : CVE-2024-45477


JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')