CVE-2023-22832 — XML External Entity Reference in Apache NiFi

Description

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

How to fix CVE-2023-22832

To remediate CVE-2023-22832, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.20.0 or later

Is CVE-2023-22832 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 1.2.0, <= 1.19.1
>= 1.2.0, < 1.20.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-22832
PATCHgithub.com/apache/nifi
WEBgithub.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8
WEBlists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w
WEB