CVE-2020-13940 - Vulnerability Details - OpenCVE

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01252.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Nifi

Configuration 1 [-]

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-0671	In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
Github GHSA	GHSA-q4xf-3pmq-3hw8	Improper Restriction of XML External Entity Reference in Apache NiFi

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://nifi.apache.org/security#CVE-2020-13940

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2020-10-01T19:55:16

Updated: 2024-08-04T12:32:14.454Z

Reserved: 2020-06-08T00:00:00

Link: CVE-2020-13940

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-01T20:15:13.097

Modified: 2024-11-21T05:02:11.600

Link: CVE-2020-13940

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache NiFi", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apache NiFi 1.0.0 to 1.11.4"}]}], "descriptions": [{"lang": "en", "value": "In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE)."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure by XXE", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-01T19:55:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nifi.apache.org/security#CVE-2020-13940"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-13940", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache NiFi", "version": {"version_data": [{"version_value": "Apache NiFi 1.0.0 to 1.11.4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure by XXE"}]}]}, "references": {"reference_data": [{"name": "https://nifi.apache.org/security#CVE-2020-13940", "refsource": "MISC", "url": "https://nifi.apache.org/security#CVE-2020-13940"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:32:14.454Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nifi.apache.org/security#CVE-2020-13940"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-13940", "datePublished": "2020-10-01T19:55:16", "dateReserved": "2020-06-08T00:00:00", "dateUpdated": "2024-08-04T12:32:14.454Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "matchCriteriaId": "43022122-9397-48D7-BD86-925042103633", "versionEndIncluding": "1.11.4", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE)."}, {"lang": "es", "value": "En Apache NiFi versiones 1.0.0 hasta 1.11.4, el administrador del servicio de notificaci\u00f3n y varios objetos del autorizador de pol\u00edticas y proveedor de grupos de usuarios permitieron a los administradores confiables configurar inadvertidamente un archivo XML potencialmente malicioso. El archivo XML tiene la capacidad de hacer llamadas externas a servicios (por medio de XXE)"}], "id": "CVE-2020-13940", "lastModified": "2024-11-21T05:02:11.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-01T20:15:13.097", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://nifi.apache.org/security#CVE-2020-13940"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nifi.apache.org/security#CVE-2020-13940"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}