CVE-2017-15703
published 2018-01-25CVE-2017-15703: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of…
medium5CVSS 3.0
AVLACLPRLUIRSUCNINAH
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | — | — |
| apache | nifi | 1.0.0 – 1.4.0 | — |
| apache_software_foundation | apache_nifi | — | — |