Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-10080

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2019-10080] Apache NiFi XXE information disclosure

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Nathan Gough &lt;thenatog () apache org&gt;

Date: Tue, 19 Nov 2019 13:41:36 -0500

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
[CVEID]:CVE-2019-10080

[PRODUCT]:Apache NiFi

[VERSION]:Apache NiFi 1.3.0 to 1.9.2

[PROBLEMTYPE]:Information Disclosure

[REFERENCES]:https://nifi.apache.org/security.html#CVE-2019-10080

[DESCRIPTION]:As reported by RunningSnail, the XMLFileLookupService in NiFi
versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a
potentially malicious XML file. The XML file has the ability to make
external calls to services (via XXE) and reveal information such as the
versions of Java, Jersey, and Apache that the NiFI instance uses.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2019-10080] Apache NiFi XXE information disclosure Nathan Gough (Nov 19)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

[CVE-2019-10080] Apache NiFi XXE information disclosure

Vulmon Search

About

Products

Connect