PT-2023-8006 · Apache · Apache Nifi
Dr. Oliver Matula
·
Published
2023-11-22
·
Updated
2025-09-12
·
CVE-2023-49145
CVSS v3.1
7.9
High
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Apache NiFi versions 0.7.0 through 1.23.2
Description
The issue is related to the JoltTransformJSON Processor in Apache NiFi, which provides an advanced configuration user interface vulnerable to DOM-based cross-site scripting. If an authenticated user visits a crafted URL, arbitrary JavaScript code can be executed within the session context of the authenticated user.
Recommendations
For Apache NiFi versions 0.7.0 through 1.23.2, upgrade to Apache NiFi 1.24.0 or 2.0.0-M1 to mitigate the issue. As a temporary workaround, consider restricting access to the JoltTransformJSON Processor for authenticated users until the upgrade is applied.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi