Apache NiFi Users Beware of Cross-Site Scripting Vulnerability

CVECVE-2023-49145
CVSScvssV3_1: 7.9
SourceCVE-2023-49145

Apache NiFi is an open source dataflow management tool that allows users to visually design data routing and processing. Unfortunately, versions 0.7.0 through 1.23.2 of Apache NiFi are affected by a cross-site scripting (XSS) vulnerability.

The vulnerability lies in the JoltTransformJSON Processor, which is used to transform JSON documents. This processor has an advanced configuration interface that is vulnerable to DOM-based XSS attacks. If an authenticated user visits a maliciously crafted URL, arbitrary JavaScript code could be executed in their session context.

In a DOM-based XSS attack, malicious scripts are not directly inserted into the HTML output. Instead, they modify the Document Object Model (DOM) using JavaScript after the page has loaded. This allows the script to run in the security context of the vulnerable site.

An attacker could exploit this vulnerability to hijack user sessions and perform actions like accessing or modifying data on the user’s behalf. They may also be able to install malware or steal login credentials.

The best way to protect yourself is to upgrade to Apache NiFi 1.24.0 or the 2.0.0-M1 release, which are not affected. In the meantime, exercise caution when interacting with or configuring the JoltTransformJSON processor. Be wary of unexpected popups or redirects when using affected NiFi instances.

References