CVE-2018-17192

CWE-1021Clickjacking5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 25.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedDec 19
Latest updateDec 20

Description

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.nifi:nifi1.0.01.8.0
NVDapache/nifi1.0.01.6.0
CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.0.0 - 1.7.1

🔴Vulnerability Details

3
OSV
Improper Restriction of Rendered UI Layers or Frames in Apache nifif2018-12-20
GHSA
Improper Restriction of Rendered UI Layers or Frames in Apache nifif2018-12-20
CVEList
CVE-2018-17192: The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers2018-12-19

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2018-17192
CVE-2018-17192 (MEDIUM CVSS 6.5) | The X-Frame-Options headers were ap | cvebase.io