ghsa-68pr-6fjc-wmgm
Vulnerability from github
Published
2023-11-28 00:30
Modified
2023-11-28 20:59
Severity ?
7.9 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
Summary
Improper Neutralization of Input in Advanced User Interface for Jolt
Details

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-jolt-transform-json-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T20:59:40Z",
    "nvd_published_at": "2023-11-27T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.",
  "id": "GHSA-68pr-6fjc-wmgm",
  "modified": "2023-11-28T20:59:40Z",
  "published": "2023-11-28T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/pull/8060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/nifi"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/NIFI-12403"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2023-49145"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Input in Advanced User Interface for Jolt"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.