CVE-2024-37389

Published Jul 8, 2024

Last updated 4 months ago

CVSS medium 5.4

Overview

Description: Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
Source: security@apache.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.4
Impact score: 2.7
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-79
security@apache.org: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D9D4EA18-4E49-4BEA-B450-60769AE53E84",
            "versionEndExcluding": "1.27.0",
            "versionStartIncluding": "1.10.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D147AF4C-74C3-41AE-B5A5-24051AC1458B"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8F5DBC6B-2239-4349-A836-EFB8BA720145"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B366BC5E-6845-40C3-9A2E-89BF99BC0C84"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "96565E7C-0CE5-439C-9B81-551DC0B7CB9D"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7547CA64-3DEC-4322-96CA-C732E132DC3B"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8067F8FC-2183-4302-A7EE-29912E68F1A8"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B1C2A606-5B3A-47C7-A94A-9BBA6E4B330F"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "200043CB-5676-4005-97B8-C95BCFF3EE0B"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "73A9B62D-47A5-41B3-8E7C-86DED14A230D"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "923C9C51-206A-4C12-A60D-3E9DE7808BCD"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "98CF1F86-BE1E-410E-A425-873081B9B353"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "34AD9B07-0C66-487A-9D32-A75C99852EE0"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1DE8050C-59BA-4789-B211-7AC0D0E696BE"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone3-rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "665BBA63-AF45-4B9F-BA0E-6C900E675270"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References