[jira] [Resolved] (NIFI-11484) Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

Pierre Villard (Jira) Wed, 26 Apr 2023 02:27:25 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Pierre Villard resolved NIFI-11484.
-----------------------------------
    Resolution: Won't Do

> Fix CVE-2023-22832: Improper Restriction of XML External Entity References in 
> ExtractCCDAAttributes
> ---------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-11484
>                 URL: https://issues.apache.org/jira/browse/NIFI-11484
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.19.0, 1.19.1
>            Reporter: Jeyassri Balachandran
>            Priority: Minor
>             Fix For: 1.19.1, 1.19.0
>
>
> Backporting the fix from nifi 1.20.
>  
> References: https://issues.apache.org/jira/browse/NIFI-11029
>  
> The {{ExtractCCDAAttributes}} Processor uses a custom {{CDAUtil}} class to 
> load and parse the FlowFile {{{}InputStream{}}}. The {{CDAUtil}} class also 
> includes a {{load}} method that takes a standard DOM {{{}Document{}}}. The 
> Processor should be updated to use the standard {{nifi-xml-processing}} 
> library for parsing the XML prior to calling {{{}CDAUtil.load{}}}.
> In addition to implementing standard XML parsing, the 
> {{ExtractCCDAAttributes}} Processor should be deprecated for removal because 
> the implementation relies on outdated libraries, and the extensive use of 
> FlowFile attributes does not align with best practices for record-oriented 
> data handling.
> h4.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (NIFI-11484) Fix CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

Reply via email to