Apache Nifi vulnerabilities

CVE-2017-5635 [HIGH] CWE-287 CVE-2017-5635: In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user requ In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

CVE-2016-8748 [MEDIUM] CWE-79 CVE-2016-8748: In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

CVE-2017-12623 [MEDIUM] CWE-611 CVE-2017-12623: An authorized user could upload a template which contained malicious code and accessed sensitive fil An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2017-7667 [HIGH] CWE-346 CVE-2017-7667: Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

CVE-2017-7665 [MEDIUM] CWE-79 CVE-2017-7665: In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.