CVE-2017-5636

CWE-745 documents5 sources

Severity

9.8CRITICAL

EPSS

1.2%

top 21.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Nifi Apache Nifi

Timeline

PublishedOct 19

Latest updateMay 17

Description

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi1.0.0 — 1.1.2+1

▶NVDapache/nifi4 versions+3

▶CVEListV5apache_software_foundation/apache_nifi4 versions+3

🔴Vulnerability Details

OSV

Injection in Apache NiFi↗2022-05-17

▶

GHSA

Injection in Apache NiFi↗2022-05-17

▶

CVEList

CVE-2017-5636: In Apache NiFi before 0↗2017-10-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2017-5636↗

▶