Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <84ec392f-a9b7-ae51-9c71-5a7497f5eb20@apache.org>
Date: Mon, 08 Jul 2024 03:25:03 +0000
From: David Handermann <exceptionfactory@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-37389: Apache NiFi: Improper Neutralization of Input in
 Parameter Context Description 

Affected versions:

- Apache NiFi 1.10.0 through 1.26.0
- Apache NiFi 2.0.0-M1 through 2.0.0-M3

Description:

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

This issue is being tracked as NIFI-13374 

Credit:

Akbar Kustirama (finder)

References:

https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-37389
https://issues.apache.org/jira/browse/NIFI-13374

Timeline:

2024-06-07: reported
2024-06-07: confirmed
2024-06-07: resolved

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.