Raman N created NIFI-9676:
-----------------------------
Summary: Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
Key: NIFI-9676
URL: https://issues.apache.org/jira/browse/NIFI-9676
Project: Apache NiFi
Issue Type: Bug
Reporter: Raman N
is currently pulling in xmlsec 1.5.8 as a transitive dependency (detected by
Trivy). This needs to be upgraded to 2.2.3+ due to CVE-2021-40690.
{code:java}
{
"VulnerabilityID": "CVE-2021-40690",
"PkgName": "org.apache.santuario:xmlsec",
"PkgPath": "opt/nifi/nifi-toolkit-current/lib/xmlsec-1.5.8.jar",
"InstalledVersion": "1.5.8",
"FixedVersion": "2.1.7, 2.2.3",
"Layer": {
"Digest":
"sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
"DiffID":
"sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
},
"SeveritySource": "ghsa-maven",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-40690";,
"Title": "xml-security: XPath Transform abuse allows for information
disclosure",
"Description": "All versions of Apache Santuario - XML Security for
Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the
\"secureValidation\" property is not passed correctly when creating a KeyInfo
from a KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.",
"Severity": "HIGH",
"CweIDs": [
"CWE-200"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
}
},
{code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
