CVE-2022-29265
Multiple components in Apache NiFi do not restrict XML External Entity references
Description
Apache NiFi is a system to process and distribute data. Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. NiFi 1.16.1 disables Document Type Declarations in the default configuration for these Processors and disallows XML External Entity resolution in standard services.
How to fix CVE-2022-29265
To remediate CVE-2022-29265, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 1.16.1 or later
Is CVE-2022-29265 being exploited?
Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.0.1, <= 1.16.0
- >= 0.0.1, < 1.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |