High severityNVD Advisory· Published Feb 10, 2023· Updated Mar 24, 2025
Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
CVE-2023-22832
Description
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.
Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.
The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-ccda-processorsMaven | >= 1.2.0, < 1.20.0 | 1.20.0 |
Affected products
3- osv-coords2 versions
>= 1.2.0, <= 1.19.1+ 1 more
- (no CPE)range: >= 1.2.0, <= 1.19.1
- (no CPE)range: >= 1.2.0, < 1.20.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-hxjp-q6c3-38fxghsaADVISORY
- lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3wghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-22832ghsaADVISORY
- github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8ghsaWEB
- nifi.apache.org/security.htmlghsatechnical-descriptionWEB
News mentions
0No linked articles in our index yet.