7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29265

GHSA ID

GHSA-wc97-7623-rxwx

EPSS Score

0.77743%

CWE

CWE-611

Published

5/1/2022

Updated

1/30/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29265

CVE-2022-29265:
Multiple components in Apache NiFi do not restrict XML External Entity references

Apache NiFi is a system to process and distribute data. Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values:

EvaluateXPath
EvaluateXQuery
ValidateXml

Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. NiFi 1.16.1 disables Document Type Declarations in the default configuration for these Processors and disallows XML External Entity resolution in standard services.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29265

GHSA ID

GHSA-wc97-7623-rxwx

EPSS Score

0.77743%

CWE

CWE-611

Published

5/1/2022

Updated

1/30/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.nifi:nifi	maven	>= 0.0.1, < 1.16.1	1.16.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly names three processors (EvaluateXPath, EvaluateXQuery, ValidateXml) and the Standard Content Viewer service as components with insecure XML parsing. In Java XML processing, XXE vulnerabilities typically occur when DocumentBuilderFactory/SAXParserFactory instances are created without disabling DTDs (FEATURE_SECURE_PROCESSING not enabled). The processors' onTrigger methods (main processing entry points) and the content viewer's XML rendering method would be where insecure parsing occurs. While exact code isn't available, the component names and vulnerability pattern strongly indicate these are the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Ni*i is * syst*m to pro**ss *n* *istri*ut* **t*. Multipl* *ompon*nts in *p**** Ni*i *.*.* to *.**.* *o not r*stri*t XML *xt*rn*l *ntity r***r*n**s in t** ****ult *on*i*ur*tion. T** St*n**r* *ont*nt Vi*w*r s*rvi** *tt*mpts to r*solv* XML *xt*rn

Reasoning

T** vuln*r**ility *xpli*itly n*m*s t*r** pro**ssors (*v*lu*t*XP*t*, *v*lu*t*XQu*ry, V*li**t*Xml) *n* t** St*n**r* *ont*nt Vi*w*r s*rvi** *s *ompon*nts wit* ins**ur* XML p*rsin*. In J*v* XML pro**ssin*, XX* vuln*r**iliti*s typi**lly o**ur w**n *o*um*n

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-29265: Multiple components in Apache NiFi do not restrict XML External Entity references

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-29265:
Multiple components in Apache NiFi do not restrict XML External Entity references

Vulnerability Intelligence
Miggo AI