CVE-2019-10080
Apache NiFi information disclosure by XXE
6.5
MEDIUM
CVSS 3.1
EPSS 0.42%
Description
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
How to fix CVE-2019-10080
To remediate CVE-2019-10080, upgrade the affected package to a fixed version below.
- —upgrade to 1.10.0 or later
- —upgrade to 1.10.0 or later
Is CVE-2019-10080 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.3.0, < 1.10.0
- >= 1.3.0, < 1.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |