High severityNVD Advisory· Published Feb 10, 2023· Updated Mar 24, 2025

Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

CVE-2023-22832

Description

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.

Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.

The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache NiFi 1.2.0 through 1.19.1's ExtractCCDAAttributes Processor is vulnerable to XML External Entity (XXE) attacks via malicious XML documents.

The ExtractCCDAAttributes Processor in Apache NiFi versions 1.2.0 through 1.19.1 does not restrict XML External Entity (XXE) references [1][2]. This processor is used to extract attributes from CDA (Clinical Document Architecture) documents. The vulnerability arises because the processor allows Document Type Declarations (DTDs) with external entity references, enabling an attacker to craft malicious XML that includes XXE payloads [2].

Attackers can exploit this by providing a flow configuration that includes the ExtractCCDAAttributes Processor and then submitting a malicious XML document containing a DTD with XXE references [2]. The processor will process the XML without proper validation, allowing the external entity to be resolved. The patch specifically adds sanitized XML parsing that disables DTDs and disallows XXE resolution, as shown in the commit that adds tests for invalid documents with DOCTYPE declarations [4].

Successful exploitation can lead to information disclosure, server-side request forgery (SSRF), or other impacts depending on the content of the external entity, as typical for XXE vulnerabilities. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor [1][2]. Users must upgrade to a patched version; the commit history indicates the fix was applied to address this issue [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.nifi:nifi-ccda-processorsMaven	>= 1.2.0, < 1.20.0	1.20.0

Affected products

osv-coords2 versions
pkg:bitnami/nifi pkg:maven/org.apache.nifi/nifi-ccda-processors
>= 1.2.0, <= 1.19.1+ 1 more
- (no CPE)range: >= 1.2.0, <= 1.19.1
- (no CPE)range: >= 1.2.0, < 1.20.0
Apache Software Foundation/Apache NiFiv5
Range: 1.2.0

Patches

e966336e8966

NIFI-11029 Added Standard XML parsing to ExtractCCDAAttributes

https://github.com/apache/nifiexceptionfactoryJan 6, 2023via ghsa

commit

3 files changed · +33 −14

nifi-nar-bundles/nifi-ccda-bundle/nifi-ccda-processors/pom.xml+5 −0 modified

@@ -35,6 +35,11 @@
             <artifactId>nifi-utils</artifactId>
             <version>1.20.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-xml-processing</artifactId>
+            <version>1.20.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>

nifi-nar-bundles/nifi-ccda-bundle/nifi-ccda-processors/src/main/java/org/apache/nifi/processors/ccda/ExtractCCDAAttributes.java

+9 −1 modified

@@ -41,6 +41,7 @@
 import org.apache.nifi.annotation.behavior.SideEffectFree;
 import org.apache.nifi.annotation.behavior.SupportsBatching;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.DeprecationNotice;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnScheduled;
 import org.apache.nifi.components.PropertyDescriptor;
@@ -53,6 +54,7 @@
 import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.util.StopWatch;
+import org.apache.nifi.xml.processing.parsers.StandardDocumentProvider;
 import org.eclipse.emf.common.util.Diagnostic;
 import org.openhealthtools.mdht.uml.cda.CDAPackage;
 import org.openhealthtools.mdht.uml.cda.ClinicalDocument;
@@ -62,7 +64,9 @@
 import org.openhealthtools.mdht.uml.cda.ihe.IHEPackage;
 import org.openhealthtools.mdht.uml.cda.util.CDAUtil;
 import org.openhealthtools.mdht.uml.cda.util.CDAUtil.ValidationHandler;
+import org.w3c.dom.Document;
 
+@DeprecationNotice(reason = "Parsing XML elements to FlowFile attributes is not recommend and should be replaced with record-oriented handling")
 @SideEffectFree
 @SupportsBatching
 @InputRequirement(Requirement.INPUT_REQUIRED)
@@ -284,7 +288,11 @@ protected ClinicalDocument loadDocument(InputStream inputStream, Boolean skipVal
         ClinicalDocument cd = null;
 
         try {
-            cd = CDAUtil.load(inputStream); // load CDA document
+            final StandardDocumentProvider documentProvider = new StandardDocumentProvider();
+            documentProvider.setNamespaceAware(true);
+            final Document document = documentProvider.parse(inputStream);
+
+            cd = CDAUtil.load(document); // load CDA document
             if (!skipValidation && !CDAUtil.validate(cd, new CDAValidationHandler())) { //optional validation
                 getLogger().error("Failed to validate CDA document");
                 throw new ProcessException("Failed to validate CDA document");

nifi-nar-bundles/nifi-ccda-bundle/nifi-ccda-processors/src/test/java/org/apache/nifi/processors/ccda/TestExtractCCDAAttributes.java

+19 −13 modified

@@ -19,7 +19,6 @@
 import org.apache.nifi.util.MockFlowFile;
 import org.apache.nifi.util.TestRunner;
 import org.apache.nifi.util.TestRunners;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.openhealthtools.mdht.uml.cda.consol.ConsolFactory;
@@ -33,20 +32,17 @@
 import org.openhealthtools.mdht.uml.cda.consol.VitalSignsSection;
 import org.openhealthtools.mdht.uml.cda.util.CDAUtil;
 
-import java.io.IOException;
 import java.io.StringWriter;
-import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.Map;
 
-
 public class TestExtractCCDAAttributes {
 
-    private TestRunner runner;
+    private static final String INVALID_DOCTYPE = "<!DOCTYPE invalid [<!ENTITY entity SYSTEM 'file:///file-not-found'> %entity;]>";
 
-    @BeforeAll
-    public static void setup() {
-        System.setProperty("org.slf4j.simpleLogger.log.org.apache.nifi", "INFO");
-    }
+    private static final String INVALID_DOCUMENT = String.format("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>%s<ClinicalDocument xmlns=\"urn:hl7-org:v3\" />", INVALID_DOCTYPE);
+
+    private TestRunner runner;
 
     @BeforeEach
     public void init() {
@@ -55,7 +51,7 @@ public void init() {
 
     @Test
     public void testProcessor() throws Exception {
-        Map<String, String> expectedAttributes = new HashMap<String, String>();
+        Map<String, String> expectedAttributes = new LinkedHashMap<>();
         expectedAttributes.put("code.code", "34133-9");
         expectedAttributes.put("code.codeSystem", "2.16.840.1.113883.6.1");
         expectedAttributes.put("code.codeSystemName", "LOINC");
@@ -110,11 +106,21 @@ public void testProcessor() throws Exception {
         StringWriter writer = new StringWriter();
         CDAUtil.save(doc, writer);
 
-        runTests(writer.toString(), expectedAttributes, true, true);
+        runTests(writer.toString(), expectedAttributes);
+    }
+
+    @Test
+    public void testRunInvalidDocument() {
+        runner.enqueue(INVALID_DOCUMENT);
+
+        runner.run();
+
+        runner.assertAllFlowFilesTransferred(ExtractCCDAAttributes.REL_FAILURE);
     }
 
-    private void runTests(final String content, Map<String, String> expectedAttributes, final boolean skipValidation, final boolean prettyPrinting) throws IOException{
-        runner.setProperty(ExtractCCDAAttributes.SKIP_VALIDATION, String.valueOf(skipValidation));
+
+    private void runTests(final String content, final Map<String, String> expectedAttributes) {
+        runner.setProperty(ExtractCCDAAttributes.SKIP_VALIDATION, Boolean.TRUE.toString());
 
         runner.enqueue(content);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hxjp-q6c3-38fxghsaADVISORY
lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3wghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-22832ghsaADVISORY
github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8ghsaWEB
nifi.apache.org/security.htmlghsatechnical-descriptionWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000