CVE-2020-13940: Improper Restriction of XML External Entity Reference

October 1, 2020 (updated October 5, 2020)

In Apache NiFi, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

References

nifi.apache.org/security
nvd.nist.gov/vuln/detail/CVE-2020-13940

Detect and mitigate CVE-2020-13940 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →