VYPR
Moderate severityNVD Advisory· Published Oct 29, 2024· Updated Oct 29, 2024

Apache NiFi: Improper Neutralization of Input in Parameter Description

CVE-2024-45477

Description

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.nifi:nifi-web-uiMaven
>= 1.10.0, < 1.28.01.28.0
org.apache.nifi:nifi-web-uiMaven
>= 2.0.0-M1, < 2.0.0-M42.0.0-M4

Affected products

3

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.