Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 09:23
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.6 |
References |
|
|
References | () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - Mailing List |
11 Jul 2024, 14:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - Mailing List | |
CPE | cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc6:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc1:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc2:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc3:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc4:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc1:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone3-rc1:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc3:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc2:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc5:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc4:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
First Time |
Apache nifi
Apache |
08 Jul 2024, 15:49
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
08 Jul 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-08 08:15
Updated : 2024-11-21 09:23
NVD link : CVE-2024-37389
Mitre link : CVE-2024-37389
CVE.ORG link : CVE-2024-37389
JSON object : View
Products Affected
apache
- nifi
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')