Apache Software Foundation Apache Nifi vulnerabilities

CVE-2018-17194 [HIGH] CWE-20 CVE-2018-17194: When a client request to a cluster node was replicated to other nodes in the cluster for verificatio When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE re

CVE-2018-17192 [MEDIUM] CWE-1021 CVE-2018-17192: The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplica The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior

CVE-2018-17193 [MEDIUM] CWE-79 CVE-2018-17193: The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate releas

CVE-2018-1310 [CRITICAL] CVE-2018-1310: Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2018-1309 [CRITICAL] CWE-611 CVE-2018-1309: Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause infor Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2017-15703 [MEDIUM] CWE-502 CVE-2017-15703: Any authenticated user (valid client certificate but without ACL permissions) could upload a templat Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appr

CVE-2017-15697 [CRITICAL] CWE-20 CVE-2017-15697: A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedd A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2017-12632 [HIGH] CWE-20 CVE-2017-12632: A malicious host header in an incoming HTTP request could cause NiFi to load resources from an exter A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2017-5636 [CRITICAL] CWE-74 CVE-2017-5636: In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serializa In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

CVE-2017-5635 [HIGH] CWE-287 CVE-2017-5635: In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user requ In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

CVE-2016-8748 [MEDIUM] CWE-79 CVE-2016-8748: In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

CVE-2017-12623 [MEDIUM] CWE-611 CVE-2017-12623: An authorized user could upload a template which contained malicious code and accessed sensitive fil An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE-2017-7667 [HIGH] CWE-346 CVE-2017-7667: Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

CVE-2017-7665 [MEDIUM] CWE-79 CVE-2017-7665: In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

CVE-2015-5254 [CRITICAL] CWE-20 CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.