CVE-2018-1309

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://nifi.apache.org/security.html#CVE-2018-1309	Patch Vendor Advisory
https://nifi.apache.org/security.html#CVE-2018-1309	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:59

Type	Values Removed	Values Added
References	~~() https://nifi.apache.org/security.html#CVE-2018-1309 - Patch, Vendor Advisory~~	() https://nifi.apache.org/security.html#CVE-2018-1309 - Patch, Vendor Advisory

Information

Published : 2018-05-23 14:29

Updated : 2024-11-21 03:59

NVD link : CVE-2018-1309

Mitre link : CVE-2018-1309

CVE.ORG link : CVE-2018-1309

JSON object : View

Products Affected

apache

nifi

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2018-1309", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-05-23T14:29:00.387", "references": [{"url": "https://nifi.apache.org/security.html#CVE-2018-1309", "tags": ["Patch", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://nifi.apache.org/security.html#CVE-2018-1309", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release."}, {"lang": "es", "value": "Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. El contenido XML malicioso puede provocar una divulgaci\u00f3n de informaci\u00f3n o la ejecuci\u00f3n remota de c\u00f3digo. La soluci\u00f3n de deshabilitar el an\u00e1lisis de entidades generales externas y no permitir las declaraciones doctype se aplic\u00f3 en la versi\u00f3n 1.6.0 de Apache NiFi. Los usuarios que ejecuten una distribuci\u00f3n 1.x anterior deben actualizarla a la distribuci\u00f3n adecuada."}], "lastModified": "2024-11-21T03:59:35.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11541048-6FE6-4B80-A41D-705F649DF386", "versionEndExcluding": "1.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}