All the vulnerabilites related to Apache Software Foundation - Apache NiFi
cve-2023-40037
Vulnerability from cvelistv5
Published
2023-08-18 21:54
Modified
2024-09-27 20:06
Severity ?
EPSS score ?
Summary
Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.21.0 ≤ 1.23.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T18:24:54.979Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "release-notes", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-40037" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/08/18/2" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-40037", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-27T20:06:15.715265Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-27T20:06:28.071Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.23.0", "status": "affected", "version": "1.21.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Matei \"Mal\" Badanoiu" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.\u003cbr\u003e" } ], "value": "Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.\n" } ], "metrics": [ { "other": { "content": { "text": "moderate" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-184", "description": "CWE-184", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-08-18T21:54:52.454Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "release-notes" ], "url": "https://nifi.apache.org/security.html#CVE-2023-40037" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q" }, { "url": "http://www.openwall.com/lists/oss-security/2023/08/18/2" } ], "source": { "defect": [ "NIFI-11920" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2023-08-06T03:00:00.000Z", "value": "reported" } ], "title": "Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-40037", "datePublished": "2023-08-18T21:54:52.454Z", "dateReserved": "2023-08-08T16:31:31.220Z", "dateUpdated": "2024-09-27T20:06:28.071Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12632
Vulnerability from cvelistv5
Published
2018-01-23 22:00
Modified
2024-09-16 20:01
Severity ?
EPSS score ?
Summary
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2017-12632 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.0.0 - 1.4.0 Version: 0.1.0 - 0.7.x |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:43:56.549Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-12632" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.0.0 - 1.4.0" }, { "status": "affected", "version": "0.1.0 - 0.7.x" } ] } ], "datePublic": "2018-01-12T00:00:00", "descriptions": [ { "lang": "en", "value": "A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote Code Execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-23T21:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-12632" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-01-12T00:00:00", "ID": "CVE-2017-12632", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "1.0.0 - 1.4.0" }, { "version_value": "0.1.0 - 0.7.x" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Remote Code Execution" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2017-12632", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-12632" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12632", "datePublished": "2018-01-23T22:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-16T20:01:20.753Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-36542
Vulnerability from cvelistv5
Published
2023-07-29 07:12
Modified
2024-10-03 13:52
Severity ?
EPSS score ?
Summary
Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.0.2 ≤ 1.22.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T16:52:53.599Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "release-notes", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-36542" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof" }, { "tags": [ "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Jul/43" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/07/29/1" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "nifi", "vendor": "apache", "versions": [ { "lessThanOrEqual": "1.22.0", "status": "affected", "version": "0.0.2", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-36542", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-03T13:50:05.694658Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-03T13:52:05.108Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.22.0", "status": "affected", "version": "0.0.2", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "nbxiglk" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.\u003cbr\u003e" } ], "value": "Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.\n" } ], "metrics": [ { "other": { "content": { "text": "moderate" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-07-29T07:12:18.290Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "release-notes" ], "url": "https://nifi.apache.org/security.html#CVE-2023-36542" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof" }, { "url": "http://seclists.org/fulldisclosure/2023/Jul/43" }, { "url": "http://www.openwall.com/lists/oss-security/2023/07/29/1" } ], "source": { "defect": [ "NIFI-11744" ], "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2023-06-19T12:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2023-06-20T19:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2023-06-21T16:00:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-36542", "datePublished": "2023-07-29T07:12:18.290Z", "dateReserved": "2023-06-22T21:15:24.126Z", "dateUpdated": "2024-10-03T13:52:05.108Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-49145
Vulnerability from cvelistv5
Published
2023-11-27 22:14
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.7.0 ≤ 1.23.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:46:29.303Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-49145" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/11/27/5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "packageName": "org.apache.nifi:nifi-jolt-transform-json-ui", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.23.2", "status": "affected", "version": "0.7.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Dr. Oliver Matula, DB Systel GmbH" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary\nJavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation." } ], "value": "Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary\nJavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-27T22:14:02.850Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://nifi.apache.org/security.html#CVE-2023-49145" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o" }, { "url": "http://www.openwall.com/lists/oss-security/2023/11/27/5" } ], "source": { "defect": [ "NIFI-12403" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2023-11-22T17:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2023-11-22T18:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2023-11-22T20:00:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-49145", "datePublished": "2023-11-27T22:14:02.850Z", "dateReserved": "2023-11-22T19:51:06.932Z", "dateUpdated": "2024-08-02T21:46:29.303Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-8748
Vulnerability from cvelistv5
Published
2017-10-19 20:00
Modified
2024-09-17 04:05
Severity ?
EPSS score ?
Summary
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/95621 | vdb-entry, x_refsource_BID | |
https://nifi.apache.org/security.html#CVE-2016-8748 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.0.0 Version: 1.1.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T02:35:00.195Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "95621", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/95621" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2016-8748" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.0.0" }, { "status": "affected", "version": "1.1.0" } ] } ], "datePublic": "2016-12-19T00:00:00", "descriptions": [ { "lang": "en", "value": "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-26T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "95621", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/95621" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2016-8748" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2016-12-19T00:00:00", "ID": "CVE-2016-8748", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "1.0.0" }, { "version_value": "1.1.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "95621", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95621" }, { "name": "https://nifi.apache.org/security.html#CVE-2016-8748", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2016-8748" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2016-8748", "datePublished": "2017-10-19T20:00:00Z", "dateReserved": "2016-10-18T00:00:00", "dateUpdated": "2024-09-17T04:05:08.852Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17193
Vulnerability from cvelistv5
Published
2018-12-19 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-17193 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.0.0 - 1.7.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T10:39:59.641Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17193" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.0.0 - 1.7.1" } ] } ], "datePublic": "2018-12-19T00:00:00", "descriptions": [ { "lang": "en", "value": "The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "XSS", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-19T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17193" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2018-17193", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.0.0 - 1.7.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "XSS" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-17193", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-17193" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17193", "datePublished": "2018-12-19T14:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.641Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-52067
Vulnerability from cvelistv5
Published
2024-11-21 09:28
Modified
2024-11-21 15:37
Severity ?
EPSS score ?
Summary
Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/9rz5rwn2zc7pfjq7ppqldqlc067tlcwd | vendor-advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.16.0 ≤ 1.28.0 Version: 2.0.0-M1 ≤ 2.0.0-M4 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-11-21T10:03:44.345Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://www.openwall.com/lists/oss-security/2024/11/20/2" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-52067", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-21T15:37:08.606724Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-21T15:37:48.210Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.nifi:nifi-framework-core", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.28.0", "status": "affected", "version": "1.16.0", "versionType": "semver" }, { "lessThanOrEqual": "2.0.0-M4", "status": "affected", "version": "2.0.0-M1", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "David Handermann" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.\u003cbr\u003e" } ], "value": "Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration." } ], "metrics": [ { "cvssV4_0": { "Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/AU:Y/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-21T09:28:43.910Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/9rz5rwn2zc7pfjq7ppqldqlc067tlcwd" } ], "source": { "defect": [ "NIFI-13971" ], "discovery": "INTERNAL" }, "title": "Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2024-52067", "datePublished": "2024-11-21T09:28:43.910Z", "dateReserved": "2024-11-05T19:48:02.758Z", "dateUpdated": "2024-11-21T15:37:48.210Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-33140
Vulnerability from cvelistv5
Published
2022-06-15 14:25
Modified
2024-08-03 08:01
Severity ?
EPSS score ?
Summary
Improper Neutralization of Command Elements in Shell User Group Provider
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr | x_refsource_MISC | |
https://nifi.apache.org/security.html#CVE-2022-33140 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: up to 1.16.2 < Version: 1.10.0 < 1.10.0* |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T08:01:19.873Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2022-33140" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.16.2", "status": "affected", "version": "up to 1.16.2", "versionType": "custom" }, { "lessThan": "1.10.0*", "status": "affected", "version": "1.10.0", "versionType": "custom" } ] }, { "product": "Apache NiFi Registry", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.16.2", "status": "affected", "version": "up to 1.16.2", "versionType": "custom" }, { "lessThan": "0.6.0*", "status": "affected", "version": "0.6.0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments." } ], "metrics": [ { "other": { "content": { "other": "high" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-15T14:25:15", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr" }, { "tags": [ "x_refsource_MISC" ], "url": "https://nifi.apache.org/security.html#CVE-2022-33140" } ], "source": { "defect": [ "NIFI-10114" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2022-06-11T00:00:00", "value": "reported" } ], "title": "Improper Neutralization of Command Elements in Shell User Group Provider", "workarounds": [ { "lang": "en", "value": "Disabling the ShellUserGroupProvider mitigates the vulnerability." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-33140", "STATE": "PUBLIC", "TITLE": "Improper Neutralization of Command Elements in Shell User Group Provider" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "up to 1.16.2", "version_value": "1.16.2" }, { "version_affected": "\u003e=", "version_name": "1.10.0", "version_value": "1.10.0" } ] } }, { "product_name": "Apache NiFi Registry", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "up to 1.16.2", "version_value": "1.16.2" }, { "version_affected": "\u003e=", "version_name": "0.6.0", "version_value": "0.6.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "high" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr", "refsource": "MISC", "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr" }, { "name": "https://nifi.apache.org/security.html#CVE-2022-33140", "refsource": "MISC", "url": "https://nifi.apache.org/security.html#CVE-2022-33140" } ] }, "source": { "defect": [ "NIFI-10114" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2022-06-11T00:00:00", "value": "reported" } ], "work_around": [ { "lang": "en", "value": "Disabling the ShellUserGroupProvider mitigates the vulnerability." } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-33140", "datePublished": "2022-06-15T14:25:15", "dateReserved": "2022-06-13T00:00:00", "dateUpdated": "2024-08-03T08:01:19.873Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1309
Vulnerability from cvelistv5
Published
2018-05-23 14:00
Modified
2024-09-16 16:13
Severity ?
EPSS score ?
Summary
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-1309 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.1.0 - 1.5.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T03:59:37.834Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-1309" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.1.0 - 1.5.0" } ] } ], "datePublic": "2018-04-08T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure / Remote Code Execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-05-23T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-1309" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-04-08T00:00:00", "ID": "CVE-2018-1309", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.1.0 - 1.5.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure / Remote Code Execution" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-1309", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-1309" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1309", "datePublished": "2018-05-23T14:00:00Z", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-09-16T16:13:12.482Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12623
Vulnerability from cvelistv5
Published
2017-10-10 18:00
Modified
2024-09-16 16:17
Severity ?
EPSS score ?
Summary
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2017-12623 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.0.0 to 1.3.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:43:56.424Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-12623" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.0.0 to 1.3.0" } ] } ], "datePublic": "2017-10-02T00:00:00", "descriptions": [ { "lang": "en", "value": "An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-10-10T17:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-12623" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-10-02T00:00:00", "ID": "CVE-2017-12623", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "1.0.0 to 1.3.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2017-12623", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-12623" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12623", "datePublished": "2017-10-10T18:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-16T16:17:35.807Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-37389
Vulnerability from cvelistv5
Published
2024-07-08 07:29
Modified
2024-09-13 17:04
Severity ?
EPSS score ?
Summary
Apache NiFi: Improper Neutralization of Input in Parameter Context Description
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh | vendor-advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.10.0 ≤ 1.26.0 Version: 2.0.0-M1 ≤ 2.0.0-M3 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-37389", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-08T13:38:24.193311Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-08T13:39:29.650Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-09-13T17:04:52.641Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh" }, { "url": "http://www.openwall.com/lists/oss-security/2024/07/08/1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "packageName": "org.apache.nifi:nifi-web-ui", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.26.0", "status": "affected", "version": "1.10.0", "versionType": "semver" }, { "lessThanOrEqual": "2.0.0-M3", "status": "affected", "version": "2.0.0-M1", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Akbar Kustirama" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation." } ], "value": "Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-08T07:29:00.146Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh" } ], "source": { "defect": [ "NIFI-13374" ], "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2024-06-07T11:15:00.000Z", "value": "reported" }, { "lang": "en", "time": "2024-06-07T12:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2024-06-07T13:45:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Improper Neutralization of Input in Parameter Context Description", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2024-37389", "datePublished": "2024-07-08T07:29:00.146Z", "dateReserved": "2024-06-07T21:09:31.675Z", "dateUpdated": "2024-09-13T17:04:52.641Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-1928
Vulnerability from cvelistv5
Published
2020-01-28 00:28
Modified
2024-08-04 06:54
Severity ?
EPSS score ?
Summary
An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2020-1928 | x_refsource_CONFIRM | |
https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.10.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T06:54:00.379Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2020-1928" }, { "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.10.0" } ] } ], "descriptions": [ { "lang": "en", "value": "An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-02T11:06:09", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2020-1928" }, { "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2020-1928", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.10.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2020-1928", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2020-1928" }, { "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E" }, { "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1928", "datePublished": "2020-01-28T00:28:08", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2024-08-04T06:54:00.379Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1310
Vulnerability from cvelistv5
Published
2018-05-23 14:00
Modified
2024-09-16 23:15
Severity ?
EPSS score ?
Summary
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-1310 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.1.0 - 1.5.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T03:59:38.379Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-1310" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.1.0 - 1.5.0" } ] } ], "datePublic": "2018-04-08T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Denial of Service", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-05-23T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-1310" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-04-08T00:00:00", "ID": "CVE-2018-1310", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.1.0 - 1.5.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Denial of Service" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-1310", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-1310" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1310", "datePublished": "2018-05-23T14:00:00Z", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-09-16T23:15:51.628Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45477
Vulnerability from cvelistv5
Published
2024-10-29 09:00
Modified
2024-10-29 14:51
Severity ?
EPSS score ?
Summary
Apache NiFi: Improper Neutralization of Input in Parameter Description
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 | vendor-advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.10.0 ≤ 1.27.0 Version: 2.0.0-M1 ≤ 2.0.0-M3 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-10-29T09:03:21.719Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://www.openwall.com/lists/oss-security/2024/10/28/1" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-45477", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-29T14:36:50.592348Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-29T14:51:54.639Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "packageName": "org.apache.nifi:nifi-web-ui", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.27.0", "status": "affected", "version": "1.10.0", "versionType": "semver" }, { "lessThanOrEqual": "2.0.0-M3", "status": "affected", "version": "2.0.0-M1", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Muhammad Hazim Bin Nor Aizi" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation." } ], "value": "Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-29T09:00:08.387Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9" } ], "source": { "defect": [ "NIFI-13675" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2024-08-23T00:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2024-08-23T06:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2024-08-25T03:00:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Improper Neutralization of Input in Parameter Description", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2024-45477", "datePublished": "2024-10-29T09:00:08.387Z", "dateReserved": "2024-08-29T13:22:14.173Z", "dateUpdated": "2024-10-29T14:51:54.639Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-44145
Vulnerability from cvelistv5
Published
2021-12-17 08:50
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
Apache NiFi information disclosure by XXE
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#1.15.1-vulnerabilities | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2021/12/17/1 | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:17:24.439Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://nifi.apache.org/security.html#1.15.1-vulnerabilities" }, { "name": "[oss-security] 20211216 CVE-2021-44145: Apache NiFi information disclosure by XXE", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/17/1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.15.0", "status": "affected", "version": "Apache NiFi", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue was discovered by DangKhai at Viettel Cyber Security." } ], "descriptions": [ { "lang": "en", "value": "In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information." } ], "metrics": [ { "other": { "content": { "other": "Low" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Sensitive information disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-17T09:06:06", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://nifi.apache.org/security.html#1.15.1-vulnerabilities" }, { "name": "[oss-security] 20211216 CVE-2021-44145: Apache NiFi information disclosure by XXE", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/17/1" } ], "source": { "defect": [ "NIFI-9399" ], "discovery": "UNKNOWN" }, "title": "Apache NiFi information disclosure by XXE", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-44145", "STATE": "PUBLIC", "TITLE": "Apache NiFi information disclosure by XXE" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "Apache NiFi", "version_value": "1.15.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue was discovered by DangKhai at Viettel Cyber Security." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "Low" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Sensitive information disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#1.15.1-vulnerabilities", "refsource": "MISC", "url": "https://nifi.apache.org/security.html#1.15.1-vulnerabilities" }, { "name": "[oss-security] 20211216 CVE-2021-44145: Apache NiFi information disclosure by XXE", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/17/1" } ] }, "source": { "defect": [ "NIFI-9399" ], "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-44145", "datePublished": "2021-12-17T08:50:09", "dateReserved": "2021-11-22T00:00:00", "dateUpdated": "2024-08-04T04:17:24.439Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26850
Vulnerability from cvelistv5
Published
2022-04-06 17:40
Modified
2024-08-03 05:11
Severity ?
EPSS score ?
Summary
Insufficiently protected credentials
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2022-26850 | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2022/04/06/2 | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: NiFi 1.14.0 to 1.15.3 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:45.347Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "NiFi 1.14.0 to 1.15.3" } ] } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)" } ], "descriptions": [ { "lang": "en", "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory." } ], "metrics": [ { "other": { "content": { "other": "moderate" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Insufficiently protected credentials", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-06T20:06:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ], "source": { "defect": [ "NIFI-9785" ], "discovery": "UNKNOWN" }, "title": "Insufficiently protected credentials", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-26850", "STATE": "PUBLIC", "TITLE": "Insufficiently protected credentials" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_affected": "=", "version_name": "NiFi", "version_value": "1.14.0 to 1.15.3" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "moderate" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insufficiently protected credentials" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2022-26850", "refsource": "MISC", "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ] }, "source": { "defect": [ "NIFI-9785" ], "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-26850", "datePublished": "2022-04-06T17:40:09", "dateReserved": "2022-03-10T00:00:00", "dateUpdated": "2024-08-03T05:11:45.347Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-29265
Vulnerability from cvelistv5
Published
2022-04-30 08:05
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
Improper Restriction of XML External Entity References in Multiple Components
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2022-29265 | x_refsource_MISC | |
https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.0.1 to 1.16.0 < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T06:17:54.476Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2022-29265" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "0.0.1 to 1.16.0", "status": "affected", "version": "0.0.1 to 1.16.0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "David Handermann at exceptionfactory.com reported this issue." } ], "descriptions": [ { "lang": "en", "value": "Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services." } ], "metrics": [ { "other": { "content": { "other": "moderate" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-30T08:05:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://nifi.apache.org/security.html#CVE-2022-29265" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl" } ], "source": { "defect": [ "NIFI-9901" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2022-04-08T00:00:00Z", "value": "reported" } ], "title": "Improper Restriction of XML External Entity References in Multiple Components", "workarounds": [ { "lang": "en", "value": "Disabling the Validate DTD Processor Property in EvaluateXPath and EvaluateXQuery mitigates the vulnerability for those Processors. No mitigation is available for the ValidateXml Processor or the Standard Content Viewer." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-29265", "STATE": "PUBLIC", "TITLE": "Improper Restriction of XML External Entity References in Multiple Components" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "0.0.1 to 1.16.0", "version_value": "0.0.1 to 1.16.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "David Handermann at exceptionfactory.com reported this issue." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "moderate" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-611 Improper Restriction of XML External Entity Reference" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2022-29265", "refsource": "MISC", "url": "https://nifi.apache.org/security.html#CVE-2022-29265" }, { "name": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl", "refsource": "MISC", "url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl" } ] }, "source": { "defect": [ "NIFI-9901" ], "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en" }, { "lang": "en", "time": "2022-04-08T00:00:00Z", "value": "reported" } ], "work_around": [ { "lang": "en", "value": "Disabling the Validate DTD Processor Property in EvaluateXPath and EvaluateXQuery mitigates the vulnerability for those Processors. No mitigation is available for the ValidateXml Processor or the Standard Content Viewer." } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-29265", "datePublished": "2022-04-30T08:05:10", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T06:17:54.476Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17195
Vulnerability from cvelistv5
Published
2018-12-19 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-17195 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.0.0 - 1.7.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T10:39:59.593Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17195" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.0.0 - 1.7.1" } ] } ], "datePublic": "2018-12-19T00:00:00", "descriptions": [ { "lang": "en", "value": "The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross Site Request Forgery", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-19T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17195" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2018-17195", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.0.0 - 1.7.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross Site Request Forgery" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-17195", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-17195" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17195", "datePublished": "2018-12-19T14:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.593Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-34212
Vulnerability from cvelistv5
Published
2023-06-12 15:14
Modified
2024-10-09 13:39
Severity ?
EPSS score ?
Summary
Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.8.0 ≤ 1.21.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T16:01:54.310Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "release-notes", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-34212" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/06/12/2" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-34212", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-09T13:37:27.959635Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-09T13:39:18.394Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.21.0", "status": "affected", "version": "1.8.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Veraxy00 of Qianxin TI Center" }, { "lang": "en", "type": "reporter", "value": "Matei \"Mal\" Badanoiu" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cdiv\u003eThe JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\u003c/div\u003e\u003cdiv\u003eThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\u003c/div\u003e\u003cdiv\u003eYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\u003cbr\u003e\u003c/div\u003e" } ], "value": "The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n" } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-12T15:14:06.990Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "release-notes" ], "url": "https://nifi.apache.org/security.html#CVE-2023-34212" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5" }, { "url": "http://www.openwall.com/lists/oss-security/2023/06/12/2" } ], "source": { "defect": [ "NIFI-11614" ], "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2023-05-28T08:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2023-05-29T06:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2023-06-01T00:00:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-34212", "datePublished": "2023-06-12T15:14:06.990Z", "dateReserved": "2023-05-30T16:13:48.779Z", "dateUpdated": "2024-10-09T13:39:18.394Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17192
Vulnerability from cvelistv5
Published
2018-12-19 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-17192 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.0.0 - 1.7.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T10:39:59.558Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17192" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.0.0 - 1.7.1" } ] } ], "datePublic": "2018-12-19T00:00:00", "descriptions": [ { "lang": "en", "value": "The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Clickjacking", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-19T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17192" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2018-17192", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.0.0 - 1.7.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Clickjacking" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-17192", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-17192" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17192", "datePublished": "2018-12-19T14:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.558Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-5636
Vulnerability from cvelistv5
Published
2017-10-19 20:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/96731 | vdb-entry, x_refsource_BID | |
https://nifi.apache.org/security.html#CVE-2017-5636 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.7.0 Version: 0.7.1 Version: 1.1.0 Version: 1.1.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T15:04:15.356Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "96731", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/96731" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-5636" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.7.0" }, { "status": "affected", "version": "0.7.1" }, { "status": "affected", "version": "1.1.0" }, { "status": "affected", "version": "1.1.1" } ] } ], "datePublic": "2017-02-20T00:00:00", "descriptions": [ { "lang": "en", "value": "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node." } ], "problemTypes": [ { "descriptions": [ { "description": "Escalation of Privilege", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-10-20T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "96731", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/96731" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-5636" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2017-5636", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.7.0" }, { "version_value": "0.7.1" }, { "version_value": "1.1.0" }, { "version_value": "1.1.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Escalation of Privilege" } ] } ] }, "references": { "reference_data": [ { "name": "96731", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96731" }, { "name": "https://nifi.apache.org/security.html#CVE-2017-5636", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-5636" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-5636", "datePublished": "2017-10-19T20:00:00", "dateReserved": "2017-01-29T00:00:00", "dateUpdated": "2024-08-05T15:04:15.356Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-15703
Vulnerability from cvelistv5
Published
2018-01-25 21:00
Modified
2024-09-16 22:20
Severity ?
EPSS score ?
Summary
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2017-15703 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.0.0 - 1.3.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T20:04:48.447Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-15703" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.0.0 - 1.3.0" } ] } ], "datePublic": "2017-10-02T00:00:00", "descriptions": [ { "lang": "en", "value": "Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Java deserialization", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-25T20:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-15703" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-10-02T00:00:00", "ID": "CVE-2017-15703", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "1.0.0 - 1.3.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Java deserialization" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2017-15703", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-15703" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-15703", "datePublished": "2018-01-25T21:00:00Z", "dateReserved": "2017-10-21T00:00:00", "dateUpdated": "2024-09-16T22:20:47.668Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-34468
Vulnerability from cvelistv5
Published
2023-06-12 15:09
Modified
2024-10-08 20:27
Severity ?
EPSS score ?
Summary
Apache NiFi: Potential Code Injection with Database Services using H2
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.0.2 ≤ 1.21.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T16:10:07.133Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "release-notes", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-34468" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/06/12/3" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html" }, { "tags": [ "x_transferred" ], "url": "https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "nifi", "vendor": "apache", "versions": [ { "lessThanOrEqual": "1.21.0", "status": "affected", "version": "0.0.2", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-34468", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-08T20:21:50.926008Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-08T20:27:24.966Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.21.0", "status": "affected", "version": "0.0.2", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Matei \"Mal\" Badanoiu" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cdiv\u003eThe DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.\u003c/div\u003e\u003cdiv\u003eThe resolution validates the Database URL and rejects H2 JDBC locations.\u003c/div\u003e\u003cdiv\u003eYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\u003cbr\u003e\u003c/div\u003e" } ], "value": "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.\n\nThe resolution validates the Database URL and rejects H2 JDBC locations.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n" } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-12T15:09:20.711Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "release-notes" ], "url": "https://nifi.apache.org/security.html#CVE-2023-34468" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8" }, { "url": "http://www.openwall.com/lists/oss-security/2023/06/12/3" }, { "url": "http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html" }, { "url": "https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/" } ], "source": { "defect": [ "NIFI-11653" ], "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2023-06-06T01:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2023-06-06T09:00:00.000Z", "value": "confirmed" }, { "lang": "en", "time": "2023-06-06T09:00:00.000Z", "value": "resolved" } ], "title": "Apache NiFi: Potential Code Injection with Database Services using H2", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-34468", "datePublished": "2023-06-12T15:09:20.711Z", "dateReserved": "2023-06-06T17:30:23.654Z", "dateUpdated": "2024-10-08T20:27:24.966Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-7667
Vulnerability from cvelistv5
Published
2017-06-12 16:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/99018 | vdb-entry, x_refsource_BID | |
https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.0.1 to 0.7.3 Version: 1.0.0 to 1.2.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T16:12:27.709Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "99018", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99018" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.0.1 to 0.7.3" }, { "status": "affected", "version": "1.0.0 to 1.2.0" } ] } ], "datePublic": "2017-06-11T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-14T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "99018", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99018" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2017-7667", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.0.1 to 0.7.3" }, { "version_value": "1.0.0 to 1.2.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "99018", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99018" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-7667", "datePublished": "2017-06-12T16:00:00", "dateReserved": "2017-04-11T00:00:00", "dateUpdated": "2024-08-05T16:12:27.709Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17194
Vulnerability from cvelistv5
Published
2018-12-19 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2018-17194 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.0.0 - 1.7.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T10:39:59.603Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17194" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.0.0 - 1.7.1" } ] } ], "datePublic": "2018-12-19T00:00:00", "descriptions": [ { "lang": "en", "value": "When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Denial of service", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-19T13:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2018-17194" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2018-17194", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.0.0 - 1.7.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Denial of service" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2018-17194", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2018-17194" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17194", "datePublished": "2018-12-19T14:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.603Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-15697
Vulnerability from cvelistv5
Published
2018-01-23 22:00
Modified
2024-09-17 03:48
Severity ?
EPSS score ?
Summary
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2017-15697 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.0.0 - 1.4.0 Version: 0.1.0 - 0.7.x |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T20:04:48.547Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-15697" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.0.0 - 1.4.0" }, { "status": "affected", "version": "0.1.0 - 0.7.x" } ] } ], "datePublic": "2018-01-12T00:00:00", "descriptions": [ { "lang": "en", "value": "A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote Code Execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-23T21:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-15697" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-01-12T00:00:00", "ID": "CVE-2017-15697", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "1.0.0 - 1.4.0" }, { "version_value": "0.1.0 - 0.7.x" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Remote Code Execution" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2017-15697", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-15697" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-15697", "datePublished": "2018-01-23T22:00:00Z", "dateReserved": "2017-10-21T00:00:00", "dateUpdated": "2024-09-17T03:48:44.883Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-1933
Vulnerability from cvelistv5
Published
2020-01-28 00:33
Modified
2024-08-04 06:54
Severity ?
EPSS score ?
Summary
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2020-1933 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: Apache NiFi 1.0.0 to 1.10.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T06:54:00.368Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2020-1933" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache NiFi 1.0.0 to 1.10.0" } ] } ], "descriptions": [ { "lang": "en", "value": "A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers." } ], "problemTypes": [ { "descriptions": [ { "description": "XSS Attack", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T00:33:32", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2020-1933" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2020-1933", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "Apache NiFi 1.0.0 to 1.10.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "XSS Attack" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2020-1933", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2020-1933" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1933", "datePublished": "2020-01-28T00:33:32", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2024-08-04T06:54:00.368Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-7665
Vulnerability from cvelistv5
Published
2017-06-12 16:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/99009 | vdb-entry, x_refsource_BID | |
https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.0.1 to 0.7.3 Version: 1.0.0 to 1.2.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T16:12:27.928Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "99009", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99009" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.0.1 to 0.7.3" }, { "status": "affected", "version": "1.0.0 to 1.2.0" } ] } ], "datePublic": "2017-06-11T00:00:00", "descriptions": [ { "lang": "en", "value": "In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-13T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "99009", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99009" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2017-7665", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.0.1 to 0.7.3" }, { "version_value": "1.0.0 to 1.2.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "99009", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99009" }, { "name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-7665", "datePublished": "2017-06-12T16:00:00", "dateReserved": "2017-04-11T00:00:00", "dateUpdated": "2024-08-05T16:12:27.928Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-5635
Vulnerability from cvelistv5
Published
2017-10-19 20:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2017-5635 | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/96730 | vdb-entry, x_refsource_BID |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 0.7.0 Version: 0.7.1 Version: 1.1.0 Version: 1.1.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T15:04:15.431Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2017-5635" }, { "name": "96730", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/96730" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "0.7.0" }, { "status": "affected", "version": "0.7.1" }, { "status": "affected", "version": "1.1.0" }, { "status": "affected", "version": "1.1.1" } ] } ], "datePublic": "2017-02-20T00:00:00", "descriptions": [ { "lang": "en", "value": "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the \"anonymous\" user." } ], "problemTypes": [ { "descriptions": [ { "description": "Unauthorized Access", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-10-20T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://nifi.apache.org/security.html#CVE-2017-5635" }, { "name": "96730", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/96730" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2017-5635", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_value": "0.7.0" }, { "version_value": "0.7.1" }, { "version_value": "1.1.0" }, { "version_value": "1.1.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the \"anonymous\" user." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Unauthorized Access" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2017-5635", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2017-5635" }, { "name": "96730", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96730" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-5635", "datePublished": "2017-10-19T20:00:00", "dateReserved": "2017-01-29T00:00:00", "dateUpdated": "2024-08-05T15:04:15.431Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-22832
Vulnerability from cvelistv5
Published
2023-02-10 07:45
Modified
2024-08-02 10:20
Severity ?
EPSS score ?
Summary
Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
References
▼ | URL | Tags |
---|---|---|
https://nifi.apache.org/security.html#CVE-2023-22832 | technical-description | |
https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w | vendor-advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache NiFi |
Version: 1.2.0 ≤ 1.19.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:20:31.072Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "technical-description", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2023-22832" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.19.1", "status": "affected", "version": "1.2.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Yi Cai of Chaitin Tech" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cdiv\u003eThe ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.\u003c/div\u003e\u003cdiv\u003eFlow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.\u003c/div\u003e\u003cdiv\u003eThe resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.\u003c/div\u003e" } ], "value": "The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.\n\nFlow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.\n\nThe resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.\n\n" } ], "metrics": [ { "other": { "content": { "text": "moderate" }, "type": "MEDIUM" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-10T07:45:36.964Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "technical-description" ], "url": "https://nifi.apache.org/security.html#CVE-2023-22832" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w" } ], "source": { "defect": [ "NIFI-11029" ], "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2023-01-03T13:00:00.000Z", "value": "reported" } ], "title": "Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-22832", "datePublished": "2023-02-10T07:45:36.964Z", "dateReserved": "2023-01-06T20:44:21.364Z", "dateUpdated": "2024-08-02T10:20:31.072Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }