PT-2023-18714 · Apache · Apache Nifi
Yi Cai
·
Published
2023-02-10
·
Updated
2025-09-12
·
CVE-2023-22832
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache NiFi versions 1.2.0 through 1.19.1
Description
The ExtractCCDAAttributes Processor in Apache NiFi does not restrict XML External Entity references, making flow configurations that include this processor vulnerable to malicious XML documents containing Document Type Declarations with XML External Entity references.
Recommendations
For Apache NiFi versions 1.2.0 through 1.19.1, the resolution involves disabling Document Type Declarations and disallowing XML External Entity resolution in the ExtractCCDAAttributes Processor.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi