Vulnerabilities > CVE-2024-45477 - Unspecified vulnerability in Apache Nifi

CVSS 4.6 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

apache

NVD

Published: 2024-10-29

Updated: 2024-11-21

Summary

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Nifi 2.0.0 Apache Nifi 1.10.0 Apache Nifi 1.11.0 Apache Nifi 1.11.1 Apache Nifi 1.11.2 Apache Nifi 1.11.3 Apache Nifi 1.11.4 Apache Nifi 1.12.0 Apache Nifi 1.12.1 Apache Nifi 1.13.0 Apache Nifi 1.13.1 Apache Nifi 1.13.2 Apache Nifi 1.14.0 Apache Nifi 1.15.0 Apache Nifi 1.15.3 Apache Nifi 1.16.0 Apache Nifi 1.16.1 Apache Nifi 1.16.2 Apache Nifi 1.16.3 Apache Nifi 1.17.0 Apache Nifi 1.18.0 Apache Nifi 1.19.0 Apache Nifi 1.19.1 Apache Nifi 1.20.0 Apache Nifi 1.21.0 Apache Nifi 1.22.0 Apache Nifi 1.23.0 Apache Nifi 1.23.1 Apache Nifi 1.23.2 Apache Nifi 1.24.0 Apache Nifi 1.25.0 Apache Nifi 1.26.0	57

Summary

Vulnerable Configurations

References