CVE-2017-12632Improper Input Validation in Apache Nifi

CWE-20Improper Input Validation5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 32.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedJan 23
Latest updateMay 14

Description

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/nifi1.4.0
CVEListV5apache_software_foundation/apache_nifi0.1.0 - 0.7.x, 1.0.0 - 1.4.0+1

🔴Vulnerability Details

3
OSV
Apache NiFi host header poisoning issue2022-05-14
GHSA
Apache NiFi host header poisoning issue2022-05-14
CVEList
CVE-2017-12632: A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server2018-01-23

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2017-12632
CVE-2017-12632 — Improper Input Validation in Apache | cvebase