CVE-2017-15703

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

5.0MEDIUM

EPSS

0.1%

top 70.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedJan 25

Latest updateOct 25

Description

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.3 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi-framework-cluster-protocol< 1.5.0

▶NVDapache/nifi1.0.0 — 1.4.0

▶CVEListV5apache_software_foundation/apache_nifi1.0.0 - 1.3.0

🔴Vulnerability Details

GHSA

Denial of service via deserialization attack in nifi↗2019-10-25

▶

OSV

Denial of service via deserialization attack in nifi↗2019-10-25

▶

CVEList

CVE-2017-15703: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a deni↗2018-01-25

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2017-15703↗

▶