CVE-2022-29265

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 0.0.1 through 1.16.0

Description The issue concerns multiple components in Apache NiFi that do not restrict XML External Entity references in the default configuration. Specifically, the Standard Content Viewer service and certain Processors (EvaluateXPath, EvaluateXQuery, ValidateXml) attempt to resolve XML External Entity references when configured with default property values. This makes Apache NiFi flow configurations that include these Processors vulnerable to malicious XML documents containing Document Type Declarations with XML External Entity references.

Recommendations For Apache NiFi versions 0.0.1 through 1.16.0, update to version 1.16.1 or later, which disables Document Type Declarations in the default configuration for the affected Processors and disallows XML External Entity resolution in standard services. As a temporary workaround, consider disabling the EvaluateXPath, EvaluateXQuery, and ValidateXml Processors until a patch is available. Restrict access to the Standard Content Viewer service to minimize the risk of exploitation. Avoid using XML documents that contain Document Type Declarations with XML External Entity references in Apache NiFi flow configurations until the issue is resolved.