Identifier

CVE-2020-13940

Package Slug

maven/org.apache.nifi/nifi

Vulnerability

Improper Restriction of XML External Entity Reference

Description

In Apache NiFi, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Affected Versions

All versions starting from 1.0.0 up to 1.11.4

Solution

Upgrade to version 1.12.0 or above.

Last Modified

2020-10-06

source