Miggo Logo

CVE-2017-12623: XML External Entity Reference in Apache NiFi

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.65267%
Published
5/17/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.nifi:nifimaven>= 1.0.0, < 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing during template processing. While the exact patch isn't shown, the CVE description and NiFi's architecture indicate:

  1. TemplateUtils.parseTemplate would be the primary XML parsing location for templates
  2. uploadTemplate is the controller endpoint handling template uploads
  3. XXE vulnerabilities typically manifest in DocumentBuilderFactory configuration, which would occur in these XML processing methods
  4. The fix version (1.4.0) would have modified these areas to add setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) or similar protections

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut*oriz** us*r *oul* uplo** * t*mpl*t* w*i** *ont*in** m*li*ious *o** *n* ****ss** s*nsitiv* *il*s vi* *n XML *xt*rn*l *ntity (XX*) *tt**k. T** *ix to prop*rly **n*l* XML *xt*rn*l *ntiti*s w*s *ppli** on t** *p**** Ni*i *.*.* r*l**s*. Us*rs runni

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* *urin* t*mpl*t* pro**ssin*. W*il* t** *x**t p*t** isn't s*own, t** *V* **s*ription *n* Ni*i's *r**it**tur* in*i**t*: *. T*mpl*t*Utils.p*rs*T*mpl*t* woul* ** t** prim*ry XML p*rsin* lo**tion *or t*mpl*