-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.nifi:nifi-ccda-processors | maven | >= 1.2.0, < 1.20.0 | 1.20.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from insecure XML parsing in the loadDocument method. The pre-patch code directly passed the input stream to CDAUtil.load() without restricting DTDs or external entities. The commit diff shows the fix introduced a StandardDocumentProvider with secure parsing settings (disabling DTDs and XXE), confirming the original function was vulnerable. The added test case with an invalid DOCTYPE further validates that XXE exploitation was possible before the patch.