CVE-2018-17193 — Cross-site Scripting in Apache Nifi

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

1.6%

top 18.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedDec 19

Latest updateDec 20

Description

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/nifi1.0.0 — 1.7.1

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.0.0 - 1.7.1

🔴Vulnerability Details

GHSA

Cross site scripting in org.apache.nifi:nifi↗2018-12-20

▶

OSV

Cross site scripting in org.apache.nifi:nifi↗2018-12-20

▶

CVEList

CVE-2018-17193: The message-page↗2018-12-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2018-17193↗

▶