Vulnerabilities > CVE-2023-49145 - Unspecified vulnerability in Apache Nifi

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

apache

NVD

Published: 2023-11-27

Updated: 2024-11-21

Summary

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Nifi 0.7.0 Apache Nifi 0.7.1 Apache Nifi 0.7.2 Apache Nifi 0.7.3 Apache Nifi 0.7.4 Apache Nifi 1.0.0 Apache Nifi 1.0.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1 Apache Nifi 1.1.2 Apache Nifi 1.2.0 Apache Nifi 1.3.0 Apache Nifi 1.4.0 Apache Nifi 1.5.0 Apache Nifi 1.6.0 Apache Nifi 1.7.0 Apache Nifi 1.7.1 Apache Nifi 1.8.0 Apache Nifi 1.9.0 Apache Nifi 1.9.1 Apache Nifi 1.9.2 Apache Nifi 1.10.0 Apache Nifi 1.11.0 Apache Nifi 1.11.1 Apache Nifi 1.11.2 Apache Nifi 1.11.3 Apache Nifi 1.11.4 Apache Nifi 1.12.0 Apache Nifi 1.12.1 Apache Nifi 1.13.0 Apache Nifi 1.13.1 Apache Nifi 1.13.2 Apache Nifi 1.14.0 Apache Nifi 1.15.0 Apache Nifi 1.15.3 Apache Nifi 1.16.0 Apache Nifi 1.16.1 Apache Nifi 1.16.2 Apache Nifi 1.16.3 Apache Nifi 1.17.0 Apache Nifi 1.18.0 Apache Nifi 1.19.0 Apache Nifi 1.19.1 Apache Nifi 1.20.0 Apache Nifi 1.21.0 Apache Nifi 1.22.0 Apache Nifi 1.23.0 Apache Nifi 1.23.1 Apache Nifi 1.23.2	117

Summary

Vulnerable Configurations

References