CVE-2018-1309
Improper Restriction of XML External Entity Reference in Apache NiFi
9.8
CRITICAL
CVSS 3.1
EPSS 3.7%
Description
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
How to fix CVE-2018-1309
To remediate CVE-2018-1309, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.0 or later
Is CVE-2018-1309 being exploited?
Low — EPSS is 3.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.1.0, < 1.6.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |