CVE-2023-49145 in NiFi
Summary
by MITRE • 11/28/2023
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/17/2023
The vulnerability CVE-2023-49145 affects Apache NiFi versions ranging from 0.7.0 through 1.23.2 and specifically targets the JoltTransformJSON Processor component. This processor provides an advanced configuration user interface that enables users to define complex JSON transformation logic through a graphical interface. The security flaw manifests as a DOM-based cross-site scripting vulnerability that exploits the processor's configuration interface, creating a dangerous attack surface for authenticated users with appropriate privileges. The vulnerability is particularly concerning because it leverages the trust relationship between the user and the application, executing malicious code within the context of an authenticated session.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the JoltTransformJSON Processor's web interface. When an authenticated user accesses a maliciously crafted URL containing specially constructed JavaScript code, the processor fails to properly sanitize or escape user-supplied parameters before rendering them in the browser's Document Object Model. This allows the malicious payload to be executed in the victim's browser session, effectively bypassing traditional security boundaries. The vulnerability is classified as DOM-based XSS (CWE-79) under the Common Weakness Enumeration framework, specifically manifesting as a client-side injection flaw that occurs when dynamic content is written to the DOM without proper sanitization.
The operational impact of this vulnerability is significant for organizations utilizing Apache NiFi as their data integration platform. An attacker who can convince an authenticated user to visit a malicious URL gains the ability to execute arbitrary JavaScript code within the user's session context, potentially leading to complete account compromise, data exfiltration, or privilege escalation. The vulnerability requires only a single authenticated user to be tricked into visiting the malicious page, making it particularly dangerous in environments where multiple users have access to the NiFi interface. This attack vector aligns with the ATT&CK framework's technique T1566 for initial access through spearphishing and T1059 for command and scripting interpreter, demonstrating how a single vulnerability can enable broader exploitation capabilities.
Organizations should immediately upgrade to Apache NiFi version 1.24.0 or the early access release 2.0.0-M1 to remediate this vulnerability. The upgrade process should be carefully planned to ensure minimal disruption to ongoing data processing workflows while addressing the security gap. Additional mitigations include implementing strict content security policies that restrict script execution within the NiFi interface, conducting regular security awareness training for users to recognize phishing attempts, and monitoring user access logs for suspicious activities. Network segmentation and privileged access controls should also be reinforced to limit the potential impact of successful exploitation attempts, ensuring that even if one user's session is compromised, the attacker's access remains constrained.