CVE-2023-22832

CVE-2023-22832: Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

Vendor Apache Software Foundation

Product Apache NiFi

Weakness CWE-611 · XXE

Published February 10, 2023

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Key dates

Disclosure timeline

February 10, 2023 CVE published

March 24, 2025 Record updated