Moderate severityNVD Advisory· Published Jul 8, 2024· Updated Sep 13, 2024
Apache NiFi: Improper Neutralization of Input in Parameter Context Description
CVE-2024-37389
Description
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-web-uiMaven | >= 1.10.0, < 1.27.0 | 1.27.0 |
org.apache.nifi:nifi-web-uiMaven | >= 2.0.0-M1, < 2.0.0-M4 | 2.0.0-M4 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:maven/org.apache.nifi/nifi-web-ui
< 1.27.0-r0+ 6 more
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: < 1.27.0-r0
- (no CPE)range: >= 1.10.0, < 1.27.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-h658-qqv9-qwv8ghsaADVISORY
- lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxhghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-37389ghsaADVISORY
- github.com/apache/nifi/commit/1ea0bc1f7fa90ecff0ceb8b0c91a9aebeb05893bghsaWEB
- github.com/apache/nifi/pull/8938ghsaWEB
- issues.apache.org/jira/browse/NIFI-13374ghsaWEB
News mentions
0No linked articles in our index yet.