CVE-2019-10080
Description
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trusted NiFi users could configure XMLFileLookupService with a malicious XML file, enabling XXE attacks that leak system information.
Vulnerability
Overview
CVE-2019-10080 is an XML External Entity (XXE) processing vulnerability in Apache NiFi's XMLFileLookupService, affecting versions 1.3.0 through 1.9.2 [2]. The service allowed trusted users to inadvertently configure a potentially malicious XML file. The root cause was the lack of proper XXE protections in the XML parsing configuration [3].
Attack
Vector
The vulnerability requires authenticated access with privileges to configure the XMLFileLookupService [1]. An attacker with those privileges could upload or modify an XML file containing external entity declarations. When the service processes this file, the XML parser would expand external entities, making HTTP requests to attacker-controlled servers [2].
Impact
Successful exploitation allows the attacker to exfiltrate information about the NiFi instance, including the versions of Java, Jersey, and Apache running on the server [2]. This information leakage could aid in further targeted attacks. The XXE capability itself could potentially be used for server-side request forgery (SSRF) or file disclosure, though the advisory primarily highlights information gathering [1].
Mitigation
Apache NiFi addressed this issue in version 1.9.2 with the fix merged in pull request #3507 [3]. The patch introduced a SafeXMLConfiguration class that disables Document Type Definitions (DTDs) and external entity processing, thereby preventing XXE attacks [3]. Users should upgrade to NiFi 1.9.2 or later. No workarounds were documented, but restricting trusted user privileges and monitoring unusual outbound HTTP requests from NiFi may help detect exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-securityMaven | >= 1.3.0, < 1.10.0 | 1.10.0 |
org.apache.nifi:nifiMaven | >= 1.3.0, < 1.10.0 | 1.10.0 |
Affected products
3- NiFi/NiFidescription
- ghsa-coords2 versions
>= 1.3.0, < 1.10.0+ 1 more
- (no CPE)range: >= 1.3.0, < 1.10.0
- (no CPE)range: >= 1.3.0, < 1.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-744r-vv2g-2x6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10080ghsaADVISORY
- github.com/apache/nifi/pull/3507ghsaWEB
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.