CVE-2024-45477

Published Oct 29, 2024

Last updated 4 months ago

CVSS medium 4.6

Overview

Description: Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
Source: security@apache.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.6
Impact score: 2.5
Exploitability score: 2.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security@apache.org: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FF44039C-8F48-403B-86F1-7EEDC61B05A0",
            "versionEndIncluding": "1.27.0",
            "versionStartIncluding": "1.10.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D147AF4C-74C3-41AE-B5A5-24051AC1458B"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "200043CB-5676-4005-97B8-C95BCFF3EE0B"
          },
          {
            "criteria": "cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1DE8050C-59BA-4789-B211-7AC0D0E696BE"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References