[
https://issues.apache.org/jira/browse/NIFI-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Raman N updated NIFI-9676:
--------------------------
Priority: Minor (was: Major)
> Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
> ---------------------------------------------------
>
> Key: NIFI-9676
> URL: https://issues.apache.org/jira/browse/NIFI-9676
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Raman N
> Priority: Minor
>
> is currently pulling in xmlsec 1.5.8 as a transitive dependency (detected by
> Trivy). This needs to be upgraded to 2.2.3+ due to CVE-2021-40690.
>
> {code:java}
> {
> "VulnerabilityID": "CVE-2021-40690",
> "PkgName": "org.apache.santuario:xmlsec",
> "PkgPath": "opt/nifi/nifi-toolkit-current/lib/xmlsec-1.5.8.jar",
> "InstalledVersion": "1.5.8",
> "FixedVersion": "2.1.7, 2.2.3",
> "Layer": {
> "Digest":
> "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
> "DiffID":
> "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
> },
> "SeveritySource": "ghsa-maven",
> "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-40690";,
> "Title": "xml-security: XPath Transform abuse allows for
> information disclosure",
> "Description": "All versions of Apache Santuario - XML Security for
> Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the
> \"secureValidation\" property is not passed correctly when creating a KeyInfo
> from a KeyInfoReference element. This allows an attacker to abuse an XPath
> Transform to extract any local .xml files in a RetrievalMethod element.",
> "Severity": "HIGH",
> "CweIDs": [
> "CWE-200"
> ],
> "CVSS": {
> "nvd": {
> "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
> "V2Score": 5,
> "V3Score": 7.5
> },
> "redhat": {
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
> "V3Score": 7.5
> }
> },
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
