CVE-2018-17194

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGH

EPSS

1.3%

top 20.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedDec 19

Latest updateDec 20

Description

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi-framework-cluster1.0.0 — 1.8.0

▶NVDapache/nifi1.0.0 — 1.7.1

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.0.0 - 1.7.1

🔴Vulnerability Details

OSV

Apache NiFi Improper Input Validation vulnerability↗2018-12-20

▶

GHSA

Apache NiFi Improper Input Validation vulnerability↗2018-12-20

▶

CVEList

CVE-2018-17194: When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded↗2018-12-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2018-17194↗

▶