CVE-2018-17195Cleartext Transmission of Sensitive Info in Apache Nifi

CWE-319Cleartext Transmission of Sensitive InfoCWE-863Incorrect Authorization5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 41.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedDec 19
Latest updateDec 20

Description

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply C

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDapache/nifi1.0.01.7.1
CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.0.0 - 1.7.1

🔴Vulnerability Details

3
GHSA
Cleartext Transmission of Sensitive Information in Apache nifi2018-12-20
OSV
Cleartext Transmission of Sensitive Information in Apache nifi2018-12-20
CVEList
CVE-2018-17195: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack,2018-12-19

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2018-17195
CVE-2018-17195 — Apache Nifi vulnerability | cvebase