XML External Entity (XXE) Vulnerability in NiFi XMLFileLookupService

XML External Entity (XXE) Vulnerability in NiFi XMLFileLookupService

CVE-2019-10080 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Learn more about our Cis Benchmark Audit For Apache Http Server.