CVE-2021-44145 : What You Need to Know

Apache NiFi information disclosure by XXE.

Understanding CVE-2021-44145

In this CVE, an authenticated user in Apache NiFi before version 1.15.1 could configure a malicious XSLT file, potentially leading to sensitive information exposure.

What is CVE-2021-44145?

Apache NiFi before 1.15.1 allows authenticated users to use the TransformXML processor to configure XSLT files that might include malicious external entity calls, resulting in the disclosure of sensitive information.

The Impact of CVE-2021-44145

This vulnerability is classified as low impact, but it could lead to a sensitive information disclosure risk within affected systems.

Technical Details of CVE-2021-44145

In-depth technical information about the CVE.

Vulnerability Description

An authenticated user in Apache NiFi before 1.15.1 could exploit the TransformXML processor by configuring an XSLT file with malicious external entity calls, potentially revealing sensitive data.

Affected Systems and Versions

Product: Apache NiFi
Vendor: Apache Software Foundation
Versions Affected: <= 1.15.0

Exploitation Mechanism

The vulnerability arises when authenticated users use the TransformXML processor to set up XSLT files with harmful external entity calls, leading to the exposure of sensitive information.

Mitigation and Prevention

Guidelines to mitigate and prevent exploitation of the CVE.

Immediate Steps to Take

Update Apache NiFi to version 1.15.1 or later.
Avoid using untrusted XSLT files in the TransformXML processor.

Long-Term Security Practices

Regularly monitor and audit XSLT configurations in Apache NiFi.
Educate users on secure configuration practices to prevent information disclosure.

Patching and Updates

Update to Apache NiFi version 1.15.1 or above to address the vulnerability.