CVE-2023-49145
📋 TL;DR
This DOM-based cross-site scripting vulnerability in Apache NiFi's JoltTransformJSON Processor allows authenticated users with configuration privileges to execute arbitrary JavaScript by visiting a crafted URL. The attack occurs within the authenticated user's session context, potentially leading to session hijacking or unauthorized actions. Affected versions are Apache NiFi 0.7.0 through 1.23.2.
💻 Affected Systems
- Apache NiFi
📦 What is this software?
Nifi by Apache
⚠️ Risk & Real-World Impact
Worst Case
An attacker could hijack authenticated sessions, steal sensitive data, perform unauthorized configuration changes, or pivot to other systems using the compromised user's credentials.
Likely Case
Session hijacking leading to unauthorized access to NiFi data flows, configuration tampering, or data exfiltration from the NiFi instance.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and minimal user privileges.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into visiting crafted URLs. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.24.0 or 2.0.0-M1
Vendor Advisory: https://nifi.apache.org/security.html#CVE-2023-49145
Restart Required: Yes
Instructions:
1. Backup current NiFi configuration and data. 2. Download Apache NiFi 1.24.0 or newer from official Apache site. 3. Stop NiFi service. 4. Replace installation with patched version. 5. Restore configuration if needed. 6. Start NiFi service. 7. Verify functionality.
🔧 Temporary Workarounds
Restrict JoltTransformJSON Processor Access
allLimit user permissions to only necessary processors and remove JoltTransformJSON configuration privileges from non-essential users.
Configure via NiFi UI: Settings > Users/Groups > Policies
Implement Content Security Policy
allAdd CSP headers to prevent execution of unauthorized scripts.
Add to nifi.properties: nifi.web.http.header.content-security-policy=default-src 'self'
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NiFi instances from untrusted networks
- Enforce principle of least privilege for all user accounts and monitor for suspicious configuration changes
🔍 How to Verify
Check if Vulnerable:
Check NiFi version via UI (top-right corner) or command: grep 'nifi.version' nifi.propertiesCheck Version:
grep 'nifi.version' /path/to/nifi.propertiesVerify Fix Applied:
Confirm version is 1.24.0 or higher via UI or command line📡 Detection & Monitoring
Log Indicators:
- Unusual JoltTransformJSON processor configuration changes
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Suspicious URLs containing JavaScript payloads in referrer headers
- Unusual outbound connections from NiFi server
SIEM Query:
source="nifi" AND (event_type="PROCESSOR_CONFIGURED" AND processor_type="JoltTransformJSON")🔗 References
- http://www.openwall.com/lists/oss-security/2023/11/27/5
- https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
- https://nifi.apache.org/security.html#CVE-2023-49145
- http://www.openwall.com/lists/oss-security/2023/11/27/5
- https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
- https://nifi.apache.org/security.html#CVE-2023-49145
