Cross-site Scripting (XSS) Affecting apache-nifi package, versions <1.27.0-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-WOLFILATEST-APACHENIFI-7547034
- published 20 Jul 2024
- disclosed 8 Jul 2024
Introduced: 8 Jul 2024
CVE-2024-37389 Open this link in a new tabHow to fix?
Upgrade Wolfi apache-nifi to version 1.27.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream apache-nifi package and not the apache-nifi package as distributed by Wolfi.
See How to fix? for Wolfi relevant fixed versions and status.
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.