Jeyassri Balachandran created NIFI-11484:
--------------------------------------------
Summary: Fix CVE-2023-22832: Improper Restriction of XML External
Entity References in ExtractCCDAAttributes
Key: NIFI-11484
URL: https://issues.apache.org/jira/browse/NIFI-11484
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 1.19.1, 1.19.0
Reporter: Jeyassri Balachandran
Fix For: 1.19.1, 1.19.0
Backporting the fix from nifi 1.20.
References: https://issues.apache.org/jira/browse/NIFI-11029
The {{ExtractCCDAAttributes}} Processor uses a custom {{CDAUtil}} class to load
and parse the FlowFile {{{}InputStream{}}}. The {{CDAUtil}} class also includes
a {{load}} method that takes a standard DOM {{{}Document{}}}. The Processor
should be updated to use the standard {{nifi-xml-processing}} library for
parsing the XML prior to calling {{{}CDAUtil.load{}}}.
In addition to implementing standard XML parsing, the {{ExtractCCDAAttributes}}
Processor should be deprecated for removal because the implementation relies on
outdated libraries, and the extensive use of FlowFile attributes does not align
with best practices for record-oriented data handling.
h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
