CVE-2017-12623 (GCVE-0-2017-12623)

Vulnerability from cvelistv5 – Published: 2017-10-10 18:00 – Updated: 2024-09-16 16:17
VLAI?
Summary
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Severity ?
No CVSS data available.
CWE
  • Information Disclosure
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache NiFi Affected: 1.0.0 to 1.3.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nifi.apache.org/security.html#CVE-2017-12623"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache NiFi",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0 to 1.3.0"
            }
          ]
        }
      ],
      "datePublic": "2017-10-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-10T17:57:01",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nifi.apache.org/security.html#CVE-2017-12623"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2017-10-02T00:00:00",
          "ID": "CVE-2017-12623",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache NiFi",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.0.0 to 1.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nifi.apache.org/security.html#CVE-2017-12623",
              "refsource": "CONFIRM",
              "url": "https://nifi.apache.org/security.html#CVE-2017-12623"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-12623",
    "datePublished": "2017-10-10T18:00:00Z",
    "dateReserved": "2017-08-07T00:00:00",
    "dateUpdated": "2024-09-16T16:17:35.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C028889E-44E8-4E54-9585-BF9B0EED5A9A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"06D38C76-98D2-41F1-9F0B-CEE05215AB4A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"01B8572D-CA8D-4A41-B94A-A393A22B5B9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"76FDA5E5-6A45-4979-9317-75623A59089F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DF1BEC26-CB83-4209-893D-5EA6E08A0C4B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A509533F-ACD6-4290-BE2E-3EDBED60D43B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A169A8CB-29A5-4C44-AEF9-8995C9239874\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.\"}, {\"lang\": \"es\", \"value\": \"Un usuario autorizado podr\\u00eda subir una plantilla que contenga c\\u00f3digo malicioso y que acceda a archivos sensibles mediante un ataque XEE (XML External Entity). La soluci\\u00f3n para manejar entidades externas XML se aplic\\u00f3 en la distribuci\\u00f3n 1.4.0 de Apache NiFi. Los usuarios que ejecuten una distribuci\\u00f3n 1.x anterior deben actualizarla a la distribuci\\u00f3n adecuada.\"}]",
      "id": "CVE-2017-12623",
      "lastModified": "2024-11-21T03:09:55.080",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-10-10T18:29:00.197",
      "references": "[{\"url\": \"https://nifi.apache.org/security.html#CVE-2017-12623\", \"source\": \"security@apache.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nifi.apache.org/security.html#CVE-2017-12623\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-12623\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2017-10-10T18:29:00.197\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.\"},{\"lang\":\"es\",\"value\":\"Un usuario autorizado podr\u00eda subir una plantilla que contenga c\u00f3digo malicioso y que acceda a archivos sensibles mediante un ataque XEE (XML External Entity). La soluci\u00f3n para manejar entidades externas XML se aplic\u00f3 en la distribuci\u00f3n 1.4.0 de Apache NiFi. Los usuarios que ejecuten una distribuci\u00f3n 1.x anterior deben actualizarla a la distribuci\u00f3n adecuada.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C028889E-44E8-4E54-9585-BF9B0EED5A9A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06D38C76-98D2-41F1-9F0B-CEE05215AB4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"01B8572D-CA8D-4A41-B94A-A393A22B5B9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"76FDA5E5-6A45-4979-9317-75623A59089F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF1BEC26-CB83-4209-893D-5EA6E08A0C4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A509533F-ACD6-4290-BE2E-3EDBED60D43B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A169A8CB-29A5-4C44-AEF9-8995C9239874\"}]}]}],\"references\":[{\"url\":\"https://nifi.apache.org/security.html#CVE-2017-12623\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nifi.apache.org/security.html#CVE-2017-12623\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.