CVE-2024-37389

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc4:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc5:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc6:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc4:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3-rc1:*:*:*:*:*:*

History

21 Nov 2024, 09:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 4.6
References
  • () http://www.openwall.com/lists/oss-security/2024/07/08/1 -
References () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - Mailing List () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - Mailing List

11 Jul 2024, 14:48

Type Values Removed Values Added
References () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - () https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh - Mailing List
CPE cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc6:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc4:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc5:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc4:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 4.6
v2 : unknown
v3 : 5.4
First Time Apache nifi
Apache

08 Jul 2024, 15:49

Type Values Removed Values Added
Summary
  • (es) Apache NiFi 1.10.0 a 1.26.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción en la configuración del contexto de parámetros que es vulnerable a Cross site Scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetro, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La mitigación recomendada es actualizar a Apache NiFi 1.27.0 o 2.0.0-M4.

08 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-08 08:15

Updated : 2024-11-21 09:23


NVD link : CVE-2024-37389

Mitre link : CVE-2024-37389

CVE.ORG link : CVE-2024-37389


JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')