NIFI-13460 Published CVE-2024-37389

apache · Jul 8, 2024 · a5a3e8b · a5a3e8b
1 parent 2945101
commit a5a3e8b
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/content/documentation/security.md b/content/documentation/security.md
@@ -64,6 +64,25 @@ Severity ratings represent the determination of project members based on an eval
 
 The following announcements include published vulnerabilities that apply directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2024-37389"
+title="Improper Neutralization of Input in Parameter Context Description"
+published="2024-07-08"
+severity="Medium"
+products="Apache NiFi"
+affectedVersions="1.10.0 to 1.26.0 and 2.0.0-M1 to 2.0.0-M3"
+fixedVersion="1.27.0 and 2.0.0-M4"
+jira="NIFI-13374"
+pullRequest="8938"
+reporter="Akbar Kustirama at abay.sh" >}}
+
+Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context
+configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter
+Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the
+authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2023-49145"
 title="Improper Neutralization of Input in Advanced User Interface for Jolt"