CVE-2024-45477

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45477
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

4.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*
History

08 Nov 2024, 15:03

Type Values Removed Values Added
References () https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 - () https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 - Mailing List, Vendor Advisory
First Time Apache
Apache nifi
CPE cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

29 Oct 2024, 14:34

Type Values Removed Values Added
Summary
  • (es) Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción para los parámetros en una configuración de contexto de parámetros que es vulnerable a cross-site scripting. Un usuario autenticado, autorizado para configurar un contexto de parámetros, puede ingresar código JavaScript arbitrario, que el navegador del cliente ejecutará dentro del contexto de sesión del usuario autenticado. La actualización a Apache NiFi 1.28.0 o 2.0.0-M4 es la mitigación recomendada.

29 Oct 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-29 09:15

Updated : 2024-11-08 15:03

NVD link : CVE-2024-45477

Mitre link : CVE-2024-45477

CVE.ORG link : CVE-2024-45477

JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024