Yi Cai

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.2.0 through 1.19.1 **Description** The ExtractCCDAAttributes Processor in Apache NiFi does not restrict XML External Entity references, making flow configurations that include this processor vulnerable to malicious XML documents containing Document Type Declarations with XML External Entity references. **Recommendations** For Apache NiFi versions 1.2.0 through 1.19.1, the resolution involves disabling Document Type Declarations and disallowing XML External Entity resolution in the ExtractCCDAAttributes Processor.