CVE-2019-10080

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.3.0 through 1.9.2

Description The issue is related to the XMLFileLookupService component, which can be configured by trusted users to use a potentially malicious XML file. This XML file can make external calls to services via XXE, potentially revealing sensitive information such as the versions of Java, Jersey, and Apache used by the NiFi instance. The vulnerability is associated with incorrect restriction of XML links to external objects, allowing a remote attacker to gain unauthorized access to protected information using a specially crafted XML file.

Recommendations For Apache NiFi versions 1.3.0 through 1.9.2, consider restricting access to the XMLFileLookupService component until a patch is available. As a temporary workaround, avoid using the XMLFileLookupService with untrusted XML files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.