Apache NiFi Security Alert: XSS Vulnerability (CVE-2024-37389) Exposed

Apache NiFi, a widely-used data processing and distribution platform, has issued a security advisory, urging users to patch their systems immediately. The vulnerability, tracked as CVE-2024-37389, could allow authenticated attackers to execute malicious JavaScript code within a user’s session context, potentially compromising sensitive data and system integrity.

The flaw stems from improper input sanitization in the description field of the Parameter Context configuration. An attacker with authorization to configure a Parameter Context could inject arbitrary JavaScript code, which would then be executed by the client browser. This could lead to a range of attacks, including session hijacking, data theft, and even remote code execution.

The vulnerability was discovered by Akbar Kustirama at abay.sh, who responsibly reported it to the Apache NiFi project.

Apache NiFi is widely used in various industries for automating data pipelines, including cybersecurity, observability, event streams, and generative AI applications. The potential impact of this vulnerability is significant, as compromised systems could leak confidential data, disrupt critical operations, or even become launching pads for further attacks.

The vulnerability affects a wide range of Apache NiFi versions, spanning from 1.10.0 to 1.26.0 and 2.0.0-M1 to 2.0.0-M3. Users are strongly advised to upgrade to either Apache NiFi 1.27.0 or 2.0.0-M4, where the issue has been addressed.