| <!DOCTYPE html> |
| <html lang="en"> |
| |
| <head> |
| <title>Security Reporting - Apache NiFi</title> |
| <meta charset="utf-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <meta name="description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data"> |
| <meta name="keywords" content="apache,nifi,data,distribution"> |
| <title>Security Reporting - Apache NiFi</title> |
| <meta property="og:title" content="Security Reporting"> |
| <meta property="og:type" content="article"> |
| <meta property="og:url" content="https://nifi.apache.org/documentation/security/"> |
| <meta property="og:description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data"> |
| <meta property="og:site_name" content="Apache NiFi"> |
| <meta property="og:image" content="https://nifi.apache.org/images/project-brand.jpg?version=1"> |
| <meta name="twitter:title" content="Security Reporting"> |
| <meta name="twitter:description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data"> |
| <meta name="twitter:card" content="summary_large_image"> |
| <meta name="twitter:creator" content="apachenifi"> |
| <meta name="twitter:image" content="https://nifi.apache.org/images/project-brand.jpg?version=1"> |
| <link rel="icon" href="/images/apache-nifi-drop-logo.svg"> |
| <link rel="stylesheet" href="/uikit/css/uikit.min.css"> |
| <link rel="stylesheet" href="/css/main.css?version=1"> |
| <script> |
| var _paq = window._paq = window._paq || []; |
| _paq.push(['disableCookies']); |
| _paq.push(['trackPageView']); |
| _paq.push(['enableLinkTracking']); |
| (function() { |
| var baseUri = "//matomo.privacy.apache.org/"; |
| _paq.push(['setTrackerUrl', baseUri + 'matomo.php']); |
| _paq.push(['setSiteId', '28']); |
| var trackerElement = document.createElement('script'); |
| var firstScriptElement = document.getElementsByTagName('script')[0]; |
| trackerElement.async = true; |
| trackerElement.src = baseUri + 'matomo.js'; |
| var firstScriptElement = document.getElementsByTagName('script')[0]; |
| if (window.location.host === 'nifi.apache.org') { |
| firstScriptElement.parentNode.insertBefore(trackerElement, firstScriptElement); |
| } |
| })(); |
| </script> |
| </head> |
| <body class="section-background"> |
| <div class="nav-container" uk-sticky="sel-target: .uk-navbar-container; cls-active: uk-navbar-sticky"> |
| <nav class="uk-container uk-navbar-container uk-navbar-transparent" uk-navbar> |
| <div class="uk-navbar-left"> |
| <ul class="uk-navbar-nav"> |
| <li> |
| <a class="uk-navbar-item" href="/"> |
| <img src="/images/apache-nifi-drop-logo.svg" alt="Apache NiFi Logo" class="navbar-logo" width="36" height="48" /> |
| </a> |
| </li> |
| <li class="uk-hidden@s"> |
| <a href="#" class="uk-navbar-toggle" uk-navbar-toggle-icon uk-toggle="target: #mobile-menu"></a> |
| </li> |
| |
| |
| |
| <li class="uk-visible@s uk-active"> |
| <a href="/documentation/">Documentation</a> |
| |
| <ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;"> |
| |
| <li class=""> |
| <a href="/documentation/v2/" > |
| NiFi Version 2 Documentation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/documentation/v1/" > |
| NiFi Version 1 Documentation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/documentation/guides/" > |
| Guides |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="uk-active"> |
| <a href="/documentation/security/" > |
| Security Reporting |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://cwiki.apache.org/confluence/display/NIFI" target="_blank" rel="noopener noreferrer"> |
| Wiki |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class="uk-visible@s "> |
| <a href="/development/">Development</a> |
| |
| <ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;"> |
| |
| <li class=""> |
| <a href="https://cwiki.apache.org/confluence/display/NIFI/Contributor+Guide" target="_blank" rel="noopener noreferrer"> |
| Contributing |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://issues.apache.org/jira/browse/NIFI" target="_blank" rel="noopener noreferrer"> |
| Issues |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://github.com/apache/nifi" target="_blank" rel="noopener noreferrer"> |
| Source |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class="uk-visible@s "> |
| <a href="/community/">Community</a> |
| |
| <ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;"> |
| |
| <li class=""> |
| <a href="/community/contact/" > |
| Contact |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/community/powered-by/" > |
| Powered By |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/community" > |
| Team |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class="uk-visible@s "> |
| <a href="/projects/">Projects</a> |
| |
| <ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;"> |
| |
| <li class=""> |
| <a href="/projects/minifi/" > |
| MiNiFi |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/projects/registry/" > |
| Registry |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/projects/fds/" > |
| Flow Design System |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class="uk-visible@s "> |
| <a href="https://www.apache.org">Apache</a> |
| |
| <ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;"> |
| |
| <li class=""> |
| <a href="https://apache.org/events/current-event" target="_blank" rel="noopener noreferrer"> |
| Events |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/licenses" target="_blank" rel="noopener noreferrer"> |
| License |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank" rel="noopener noreferrer"> |
| Privacy |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer"> |
| Sponsorship |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer"> |
| Thanks |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| |
| </ul> |
| |
| </div> |
| <div class="uk-navbar-right"> |
| <ul class="uk-navbar-nav"> |
| <li> |
| <div class="uk-navbar-item"> |
| <a class="uk-icon-link navbar-icon" uk-icon="icon: github; ratio: 2" href="https://github.com/apache/nifi"></a> |
| </div> |
| </li> |
| <li> |
| <div class="uk-navbar-item"> |
| <a class="uk-button uk-button-primary uk-icon" href="/download/"> |
| Download |
| </a> |
| </div> |
| </li> |
| </ul> |
| </div> |
| </nav> |
| </div> |
| |
| <div id="mobile-menu" uk-offcanvas class="uk-offcanvas"> |
| <div class="uk-offcanvas-bar"> |
| <ul class="uk-navbar-nav" uk-accordion> |
| |
| |
| |
| <li class="uk-active"> |
| <a class="uk-accordion-title" >Documentation</a> |
| |
| <ul class="uk-accordion-content"> |
| |
| <li class=""> |
| <a href="/documentation/v2/" > |
| NiFi Version 2 Documentation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/documentation/v1/" > |
| NiFi Version 1 Documentation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/documentation/guides/" > |
| Guides |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="uk-active"> |
| <a href="/documentation/security/" > |
| Security Reporting |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://cwiki.apache.org/confluence/display/NIFI" target="_blank" rel="noopener noreferrer"> |
| Wiki |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class=""> |
| <a class="uk-accordion-title" >Development</a> |
| |
| <ul class="uk-accordion-content"> |
| |
| <li class=""> |
| <a href="https://cwiki.apache.org/confluence/display/NIFI/Contributor+Guide" target="_blank" rel="noopener noreferrer"> |
| Contributing |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://issues.apache.org/jira/browse/NIFI" target="_blank" rel="noopener noreferrer"> |
| Issues |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://github.com/apache/nifi" target="_blank" rel="noopener noreferrer"> |
| Source |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class=""> |
| <a class="uk-accordion-title" >Community</a> |
| |
| <ul class="uk-accordion-content"> |
| |
| <li class=""> |
| <a href="/community/contact/" > |
| Contact |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/community/powered-by/" > |
| Powered By |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/community" > |
| Team |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class=""> |
| <a class="uk-accordion-title" >Projects</a> |
| |
| <ul class="uk-accordion-content"> |
| |
| <li class=""> |
| <a href="/projects/minifi/" > |
| MiNiFi |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/projects/registry/" > |
| Registry |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="/projects/fds/" > |
| Flow Design System |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| <li class=""> |
| <a class="uk-accordion-title" >Apache</a> |
| |
| <ul class="uk-accordion-content"> |
| |
| <li class=""> |
| <a href="https://apache.org/events/current-event" target="_blank" rel="noopener noreferrer"> |
| Events |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/licenses" target="_blank" rel="noopener noreferrer"> |
| License |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank" rel="noopener noreferrer"> |
| Privacy |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer"> |
| Sponsorship |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class=""> |
| <a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer"> |
| Thanks |
| <span uk-icon="link"></span> |
| </a> |
| |
| |
| |
| </li> |
| |
| </ul> |
| |
| </li> |
| |
| |
| </ul> |
| </div> |
| </div> |
| <main> |
| <div class="uk-container"> |
| <h1 id="apache-hahahugoshortcode-s0-hbhb-security">Apache <span class="ni">Ni</span><span class="fi">Fi</span> |
| Security</h1> |
| <p>Apache NiFi welcomes the responsible reporting of security vulnerabilities. Project Management Committee members will |
| collaborate and respond to potential vulnerabilities, providing an assessment of the concern and a plan of action to |
| remediate verified issues.</p> |
| <h2 id="reporting-policy">Reporting Policy</h2> |
| <p>Please read the <a href="https://www.apache.org/security/committers.html">Apache Project Security for Committers</a> |
| policy for general guidelines applicable disclosure of security issues for Apache Software Foundation projects.</p> |
| <p>Do not perform the following actions after discovering a potential security concern:</p> |
| <ul> |
| <li>Open a Jira disclosing a security vulnerability to the public</li> |
| <li>Send a message to the project mailing lists disclosing a security vulnerability to the public</li> |
| <li>Send a message to the project Slack instance disclosing a security vulnerability to the public</li> |
| </ul> |
| <h2 id="reporting-guidelines">Reporting Guidelines</h2> |
| <p>Configuring dangerous operating system commands or custom scripts is not a project security vulnerability. |
| Authenticated and authorized users are responsible for the security of operating system commands and custom |
| code.</p> |
| <p>Apache NiFi provides a framework for developing processing pipelines using standard and custom |
| components. The framework supports configurable permissions that enable authorized users to execute code |
| using several standard components. Components such as ExecuteProcess and ExecuteStreamCommand support |
| running operating system commands, while other scripted components support executing custom code using |
| different programming languages. Configuring these components with untrusted commands or arguments is |
| contrary to best practices, but it does not constitute of security issue for remediation.</p> |
| <h2 id="reporting-process">Reporting Process</h2> |
| <ul> |
| <li>Notify the project on initial discovery of a potential security vulnerability</li> |
| <li>Provide a reasonable amount of time for an initial assessment and remediation plan</li> |
| <li>Limit interaction to accounts under direct control or accounts with explicit permission of the owner</li> |
| <li>Avoid privacy violations, destruction of data, and interruption or degradation of services</li> |
| <li>Avoid spamming, social engineering, and methods to manipulate project members</li> |
| </ul> |
| <h2 id="reporting-methods">Reporting Methods</h2> |
| <ul> |
| <li>Security Mailing List: <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a> |
| <ul> |
| <li>Members of the Project Management Committee monitor this private mailing list and respond to disclosures</li> |
| </ul> |
| </li> |
| </ul> |
| <h2 id="severity-ratings">Severity Ratings</h2> |
| <p>Severity ratings represent the determination of project members based on an evaluation of |
| <a href="https://www.first.org/cvss/">Common Vulnerability Scoring System</a> calculations.</p> |
| <ul> |
| <li>Critical: Arbitrary code execution from a remote attacker</li> |
| <li>High: Compromise of integrity or availability through resource exhaustion</li> |
| <li>Medium: Requires special configuration settings and significant mitigations are available</li> |
| <li>Low: Minimal impact and significant difficulty of exploitation</li> |
| </ul> |
| <h1 id="published-vulnerabilities">Published Vulnerabilities</h1> |
| <p>The following announcements include published vulnerabilities that apply directly to Apache NiFi components.</p> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-49145">CVE-2023-49145</h3> |
| |
| <ul> |
| <li>Title: Improper Neutralization of Input in Advanced User Interface for Jolt</li> |
| <li>Published: 2023-11-27</li> |
| <li>Severity: High</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.7.0 to 1.23.2</li> |
| <li>Fixed Versions: 1.24.0</li> |
| <li>Reporter: Dr. Oliver Matula, DB Systel GmbH</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-49145" target="_blank">CVE-2023-49145</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-49145" target="_blank">CVE-2023-49145</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-12403" target="_blank">NIFI-12403</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/8060" target="_blank">8060</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user |
| interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure |
| a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session |
| context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-40037">CVE-2023-40037</h3> |
| |
| <ul> |
| <li>Title: Incomplete Validation of JDBC and JNDI Connection URLs</li> |
| <li>Published: 2023-08-18</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.21.0 to 1.23.0</li> |
| <li>Fixed Versions: 1.23.1</li> |
| <li>Reporter: Matei 'Mal' Badanoiu</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-40037" target="_blank">CVE-2023-40037</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-40037" target="_blank">CVE-2023-40037</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11920" target="_blank">NIFI-11920</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7586" target="_blank">7586</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with |
| connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and |
| authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection |
| URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the |
| recommended mitigation. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-36542">CVE-2023-36542</h3> |
| |
| <ul> |
| <li>Title: Potential Code Injection with Properties Referencing Remote Resources</li> |
| <li>Published: 2023-07-28</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.2 to 1.22.0</li> |
| <li>Fixed Versions: 1.23.0</li> |
| <li>Reporter: nbxiglk</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-36542" target="_blank">CVE-2023-36542</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-36542" target="_blank">CVE-2023-36542</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11744" target="_blank">NIFI-11744</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7426" target="_blank">7426</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for |
| retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code |
| execution. The resolution introduces a new Required Permission for referencing remote resources, restricting |
| configuration of these components to privileged users. The permission prevents unprivileged users from configuring |
| Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache |
| NiFi 1.23.0 is the recommended mitigation. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-34468">CVE-2023-34468</h3> |
| |
| <ul> |
| <li>Title: Potential Code Injection with Database Services using H2</li> |
| <li>Published: 2023-06-12</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.2 to 1.21.0</li> |
| <li>Fixed Versions: 1.22.0</li> |
| <li>Reporter: Matei 'Mal' Badanoiu</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-34468" target="_blank">CVE-2023-34468</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34468" target="_blank">CVE-2023-34468</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11653" target="_blank">NIFI-11653</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7349" target="_blank">7349</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an |
| authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. |
| The resolution validates the Database URL and rejects H2 JDBC locations. Upgrading to NiFi 1.22.0 disables H2 JDBC URLs |
| in the default configuration. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-34212">CVE-2023-34212</h3> |
| |
| <ul> |
| <li>Title: Potential Deserialization of Untrusted Data with JNDI in JMS Components</li> |
| <li>Published: 2023-06-12</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.8.0 to 1.21.0</li> |
| <li>Fixed Versions: 1.22.0</li> |
| <li>Reporter: Veraxy00 of Qianxin TI Center and Matei 'Mal' Badanoiu</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-34212" target="_blank">CVE-2023-34212</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34212" target="_blank">CVE-2023-34212</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11614" target="_blank">NIFI-11614</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7313" target="_blank">7313</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The JndiJmsConnectionFactoryProvider Controller Service along with the ConsumeJMS and PublishJMS Processors, in Apache |
| NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable |
| deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations |
| to a set of allowed schemes. Upgrading to NiFi 1.22.0 disables LDAP for JNDI URLs in the default configuration. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2023-22832">CVE-2023-22832</h3> |
| |
| <ul> |
| <li>Title: Improper Restriction of XML External Entity References in ExtractCCDAAttributes</li> |
| <li>Published: 2023-02-09</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.2.0 to 1.19.1</li> |
| <li>Fixed Versions: 1.20.0</li> |
| <li>Reporter: Yi Cai of Chaitin Tech</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-22832" target="_blank">CVE-2023-22832</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22832" target="_blank">CVE-2023-22832</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11029" target="_blank">NIFI-11029</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/6828" target="_blank">6828</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity |
| references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML |
| documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document |
| Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. Upgrading to NiFi |
| 1.20.0 disables Document Type Declarations in the default configuration for ExtractCCDAAttributes. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2022-33140">CVE-2022-33140</h3> |
| |
| <ul> |
| <li>Title: Improper Neutralization of Command Elements in Shell User Group Provider</li> |
| <li>Published: 2022-06-15</li> |
| <li>Severity: High</li> |
| <li>Products: Apache NiFi and Apache NiFi Registry</li> |
| <li>Affected Versions: 1.10.0 to 1.16.2</li> |
| <li>Fixed Versions: 1.20.0</li> |
| <li>Reporter: Anonymous</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-33140" target="_blank">CVE-2022-33140</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33140" target="_blank">CVE-2022-33140</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-10114" target="_blank">NIFI-10114</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/6122" target="_blank">6122</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not |
| neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS |
| platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires |
| ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection |
| also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with |
| authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with |
| authorization to read user groups to execute the command. NiFi and NiFi Registry version 1.16.3 has completely removed |
| the shell commands from the ShellUserGroupProvider that received user arguments. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2022-29265">CVE-2022-29265</h3> |
| |
| <ul> |
| <li>Title: Improper Restriction of XML External Entity References in Multiple Components</li> |
| <li>Published: 2022-04-29</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.1 to 1.16.0</li> |
| <li>Fixed Versions: 1.16.1</li> |
| <li>Reporter: David Handermann at exceptionfactory.com</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-29265" target="_blank">CVE-2022-29265</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29265" target="_blank">CVE-2022-29265</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9901" target="_blank">NIFI-9901</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5962" target="_blank">5962</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default |
| configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing |
| formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with |
| default property values: EvaluateXPath, EvaluateXQuery, and ValidateXml. Apache NiFi flow configurations that include |
| these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External |
| Entity references. Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these |
| processors, and disallows XML External Entity resolution in standard services. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2022-26850">CVE-2022-26850</h3> |
| |
| <ul> |
| <li>Title: Insufficiently Protected Credentials for Single-User Authentication</li> |
| <li>Published: 2022-03-27</li> |
| <li>Severity: Low</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.14.0 to 1.15.3</li> |
| <li>Fixed Versions: 1.16.0</li> |
| <li>Reporter: Jonathan Leitschuh at twitter.com/jlleitschuh</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-26850" target="_blank">CVE-2022-26850</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-26850" target="_blank">CVE-2022-26850</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9785" target="_blank">NIFI-9785</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5856" target="_blank">5856</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers |
| configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the |
| username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has |
| global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which |
| significantly limited the window of opportunity for access. Bcrypt is a password-hashing algorithm that incorporates a |
| random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt |
| algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers. NiFi 1.16.0 |
| includes updates to replace the Login Identity Providers configuration without writing a file to the operating system |
| temporary directory. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2021-44145">CVE-2021-44145</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure through XML External Entity Resoltion in TransformXML</li> |
| <li>Published: 2021-12-15</li> |
| <li>Severity: Low</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.1.0 to 1.15.0</li> |
| <li>Fixed Versions: 1.15.1</li> |
| <li>Reporter: DangKhai at Viettel Cyber Security</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2021-44145" target="_blank">CVE-2021-44145</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44145" target="_blank">CVE-2021-44145</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9399" target="_blank">NIFI-9399</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5542" target="_blank">5542</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| In the TransformXML processor, an authenticated user could configure an XSLT file which, if it included malicious |
| external entity calls, may reveal sensitive information. The Secure processing property in TransformXML will now apply |
| to the configured XSLT file as well as flow files being transformed. Users running any previous NiFi release should |
| upgrade to 1.15.1. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-9486">CVE-2020-9486</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure in Application Logs</li> |
| <li>Published: 2020-08-18</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.10.0 to 1.11.4</li> |
| <li>Fixed Versions: 1.12.0</li> |
| <li>Reporter: Andy LoPresto and Pierre Villard</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9486" target="_blank">CVE-2020-9486</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9486" target="_blank">CVE-2020-9486</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7377" target="_blank">NIFI-7377</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4222" target="_blank">4222</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was |
| triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. |
| NiFi 1.12.0 implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the |
| sensitive value. Users running any previous NiFi release should upgrade to 1.12.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-9487">CVE-2020-9487</h3> |
| |
| <ul> |
| <li>Title: Potential Denial of Service with Token Authentication Requests</li> |
| <li>Published: 2020-08-18</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.11.4</li> |
| <li>Fixed Versions: 1.12.0</li> |
| <li>Reporter: Dennis Detering, IT Security Consultant at Spike Reply</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9487" target="_blank">CVE-2020-9487</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9487" target="_blank">CVE-2020-9487</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7385" target="_blank">NIFI-7385</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4271" target="_blank">4271</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to |
| create a download token, only when attempting to use the token to access the content. An unauthenticated user could |
| repeatedly request download tokens, preventing legitimate users from requesting download tokens. NiFi 1.12.0 disabled |
| anonymous authentication, implemented a multi-indexed cache, and limited token creation requests to |
| one concurrent request per user. Users running any previous NiFi release should upgrade to 1.12.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-9491">CVE-2020-9491</h3> |
| |
| <ul> |
| <li>Title: Insecure TLS Protocol Versions for Cluster Communication</li> |
| <li>Published: 2020-08-18</li> |
| <li>Severity: High</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.2.0 to 1.11.4</li> |
| <li>Fixed Versions: 1.12.0</li> |
| <li>Reporter: Juan Carlos Sequeiros and Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9491" target="_blank">CVE-2020-9491</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9491" target="_blank">CVE-2020-9491</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7407" target="_blank">NIFI-7407</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4263" target="_blank">4263</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors |
| like ListenHTTP and HandleHttpRequest. However intra-cluster communication such as cluster request replication, |
| Site-to-Site, and load balanced queues continued to support TLS 1.0 or 1.1. NiFI 1.12.0 refactored disparate internal |
| SSL and TLS code, reducing exposure for extension and framework developers to low-level primitives. NiFi 1.12. also |
| added support for TLS v1.3 on supporting JVMs. This version restricted all incoming TLS communications to TLS |
| 1.2 or higher. Users running any previous NiFi release should upgrade to 1.12.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-13940">CVE-2020-13940</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure through XML External Entity Resolution in Notification Service</li> |
| <li>Published: 2020-08-18</li> |
| <li>Severity: Low</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.11.4</li> |
| <li>Fixed Versions: 1.12.0</li> |
| <li>Reporter: Matt Burgess and Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-13940" target="_blank">CVE-2020-13940</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13940" target="_blank">CVE-2020-13940</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7680" target="_blank">NIFI-7680</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4436" target="_blank">4436</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The notification service manager and various policy authorizer and user group provider objects allowed trusted |
| administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make |
| external calls to services through XML External Entity resolution. NiFi 1.12.0 introduced an XML validator to prevent |
| malicious code from being parsed and executed. Users running any previous NiFi release should upgrade to 1.12.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-9482">CVE-2020-9482</h3> |
| |
| <ul> |
| <li>Title: Application Bearer Token Remains Valid After Logout Completion</li> |
| <li>Published: 2020-04-07</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi Registry</li> |
| <li>Affected Versions: 0.1.0 to 0.5.0</li> |
| <li>Fixed Versions: 0.6.0</li> |
| <li>Reporter: Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9482" target="_blank">CVE-2020-9482</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9482" target="_blank">CVE-2020-9482</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFIREG-361" target="_blank">NIFIREG-361</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry |
| invalidates the authentication token on the client side but not on the server side. This permits the user's client-side |
| token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. NiFi Registry 0.6.0 |
| invalidates the server-side authentication token immediately after the user clicks the Log Out link. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-1942">CVE-2020-1942</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure in Application Logs</li> |
| <li>Published: 2020-02-04</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.1 to 1.11.0</li> |
| <li>Fixed Versions: 1.11.1</li> |
| <li>Reporter: Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1942" target="_blank">CVE-2020-1942</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1942" target="_blank">CVE-2020-1942</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7079" target="_blank">NIFI-7079</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4208" target="_blank">4208</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the |
| event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the |
| cluster and local flow was printed, potentially containing sensitive values in plaintext. NiFi 1.11.1i implemented |
| Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running |
| any previous NiFi release should upgrade to 1.11.1. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-1928">CVE-2020-1928</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure in Application Debug Logs</li> |
| <li>Published: 2020-01-22</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.10.0</li> |
| <li>Fixed Versions: 1.11.0</li> |
| <li>Reporter: Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1928" target="_blank">CVE-2020-1928</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1928" target="_blank">CVE-2020-1928</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6948" target="_blank">NIFI-6948</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3935" target="_blank">3935</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose |
| literal values entered a sensitive property when no parameter was present. NiFi 1.11.0 removed debug logging from the |
| class. Users running the 1.10.0 release should upgrade to 1.11.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2020-1933">CVE-2020-1933</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Site Scripting in Uploaded Templates</li> |
| <li>Published: 2020-01-22</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.10.0</li> |
| <li>Fixed Versions: 1.11.0</li> |
| <li>Reporter: Jakub Palaczynski of ING Tech Poland</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1933" target="_blank">CVE-2020-1933</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1933" target="_blank">CVE-2020-1933</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7023" target="_blank">NIFI-7023</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3991" target="_blank">3991</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear |
| to occur in other browsers. NiFi 1.11.0 adds sanitization of the error response ensures the XSS would not be executed. |
| Users running earlier versions should upgrade to 1.11.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2019-10080">CVE-2019-10080</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure through XML External Entity Resolution in File Lookup Service</li> |
| <li>Published: 2019-11-04</li> |
| <li>Severity: Low</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.3.0 to 1.9.2</li> |
| <li>Fixed Versions: 1.10.0</li> |
| <li>Reporter: RunningSnail</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-10080" target="_blank">CVE-2019-10080</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10080" target="_blank">CVE-2019-10080</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6301" target="_blank">NIFI-6301</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3507" target="_blank">3507</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file |
| has the ability to make external calls to services using XML External Entity resolution and reveal information such as |
| the versions of Java, Jersey, and Apache that the NiFI instance uses. NiFi 1.10.0 adds a validator to ensure the XML |
| file is not malicious. Users running a prior release should upgrade to 1.10.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2019-12421">CVE-2019-12421</h3> |
| |
| <ul> |
| <li>Title: Application Bearer Token Remains Valid After Logout Completion</li> |
| <li>Published: 2019-11-04</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.9.2</li> |
| <li>Fixed Versions: 1.10.0</li> |
| <li>Reporter: Abdu Sahin</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-12421" target="_blank">CVE-2019-12421</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12421" target="_blank">CVE-2019-12421</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6085" target="_blank">NIFI-6085</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3362" target="_blank">3362</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the |
| authentication token on the client side but not on the server side. This permits the user's client-side token to be used |
| for up to 12 hours after logging out to make API requests to NiFi. NiFi 1.10.0 invalidates the server-side |
| authentication token immediately after the user clicks the Log Out link. Users running a prior release should |
| upgrade to 1.10.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2019-10083">CVE-2019-10083</h3> |
| |
| <ul> |
| <li>Title: Potential Information Disclosure in Process Group Resources</li> |
| <li>Published: 2019-11-04</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.9.2</li> |
| <li>Fixed Versions: 1.10.0</li> |
| <li>Reporter: Mark Payne</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-10083" target="_blank">CVE-2019-10083</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10083" target="_blank">CVE-2019-10083</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6302" target="_blank">NIFI-6302</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3477" target="_blank">3477</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| When updating a Process Group via the API, the response to the request includes all of its contents (at the top most |
| level, not recursively). The response included details about processors and controller services which the user may not |
| have had read access to. Requests to update or remove the process group will no longer return the contents of the |
| process group in the response in Apache NiFi 1.10.0. Users running a prior release should upgrade to 1.10.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-17192">CVE-2018-17192</h3> |
| |
| <ul> |
| <li>Title: Improper Restriction of Browser Frame Access</li> |
| <li>Published: 2018-10-26</li> |
| <li>Severity: Low</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.6.0</li> |
| <li>Fixed Versions: 1.8.0</li> |
| <li>Reporter: Suchithra V N</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17192" target="_blank">CVE-2018-17192</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17192" target="_blank">CVE-2018-17192</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5258" target="_blank">NIFI-5258</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2759" target="_blank">2759</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing |
| security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. NiFi 1.8.0 |
| consistently applies the security headers including X-Frame-Options. Users running a prior release should upgrade to |
| 1.8.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-17193">CVE-2018-17193</h3> |
| |
| <ul> |
| <li>Title: Improper Neutralization of Input in Proxy Request Headers</li> |
| <li>Published: 2018-10-26</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.7.1</li> |
| <li>Fixed Versions: 1.8.0</li> |
| <li>Reporter: Dan Fike with assistance from Patrick White</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17193" target="_blank">CVE-2018-17193</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17193" target="_blank">CVE-2018-17193</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5442" target="_blank">NIFI-5442</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2908" target="_blank">2908</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, |
| resulting in a potential reflected cross-site scripting attack. NiFi 1.8.0 correctly parses and sanitizes the request |
| attribute value. Users running a prior release should upgrade to 1.8.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-17194">CVE-2018-17194</h3> |
| |
| <ul> |
| <li>Title: Potential Denial of Service with HTTP DELETE Cluster Replication Requests</li> |
| <li>Published: 2018-10-26</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.7.1</li> |
| <li>Fixed Versions: 1.8.0</li> |
| <li>Reporter: Mike Cole and Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17194" target="_blank">CVE-2018-17194</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17194" target="_blank">CVE-2018-17194</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5628" target="_blank">NIFI-5628</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3035" target="_blank">3035</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| When a client request to a cluster node was replicated to other nodes in the cluster for verification, the |
| Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length |
| value other than 0, the receiving nodes would wait for the body and eventually timeout. NiFi 1.8.0 checks DELETE |
| requests and overwrites non-zero Content-Length header. Users running a prior release should upgrade to 1.8.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-17195">CVE-2018-17195</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Site Request Forgery in Template Upload Resources</li> |
| <li>Published: 2018-10-26</li> |
| <li>Severity: Critical</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.7.1</li> |
| <li>Fixed Versions: 1.8.0</li> |
| <li>Reporter: Mike Cole</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17195" target="_blank">CVE-2018-17195</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17195" target="_blank">CVE-2018-17195</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5595" target="_blank">NIFI-5595</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3024" target="_blank">3024</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing and |
| meddler in the middle (MITM) intervention, resulting in cross-site request forgery. The required attack vector is |
| complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code |
| into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a |
| Critical severity level. NiFi 1.8.0 applies Cross-Origin Resource Sharing (CORS) policy request filtering. Users running |
| a prior release should upgrade to 1.8.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-1309">CVE-2018-1309</h3> |
| |
| <ul> |
| <li>Title: Improper Restriction of XML External Entity References in SplitXml</li> |
| <li>Published: 2018-04-08</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.1.0 to 1.5.0</li> |
| <li>Fixed Versions: 1.6.0</li> |
| <li>Reporter: 圆珠笔</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-1309" target="_blank">CVE-2018-1309</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1309" target="_blank">CVE-2018-1309</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4869" target="_blank">NIFI-4869</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2466" target="_blank">2466</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Malicious XML content could cause information disclosure or remote code execution in the SplitXml Processor. NiFi 1.6.0 |
| disables external general entity parsing and disallows document type declarations in SplitXml. Users running a prior |
| release should upgrade to 1.6.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2018-1310">CVE-2018-1310</h3> |
| |
| <ul> |
| <li>Title: Potential Denial of Service in JMS Processors</li> |
| <li>Published: 2018-04-08</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.1.0 to 1.5.0</li> |
| <li>Fixed Versions: 1.6.0</li> |
| <li>Reporter: 圆珠笔</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-1310" target="_blank">CVE-2018-1310</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1310" target="_blank">CVE-2018-1310</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4870" target="_blank">NIFI-4870</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2469" target="_blank">2469</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Malicious JMS content could cause denial of service in impacted Processors. See ActiveMQ CVE-2015-5254 announcement for |
| more information. NiFi 1.6.0 upgrades the activemq-client library to 5.15.3. Users running a prior release should |
| upgrade to 1.6.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-12632">CVE-2017-12632</h3> |
| |
| <ul> |
| <li>Title: Improper Input Validation of HTTP Host Request Headers</li> |
| <li>Published: 2018-01-12</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.1.0 to 1.4.0</li> |
| <li>Fixed Versions: 1.5.0</li> |
| <li>Reporter: Mike Cole</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-12632" target="_blank">CVE-2017-12632</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12632" target="_blank">CVE-2017-12632</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4501" target="_blank">NIFI-4501</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2279" target="_blank">2279</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. NiFi |
| 1.5.0 sanitizes host headers and compares to a controlled whitelist property. Users running a prior release should |
| upgrade to 1.5.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-15697">CVE-2017-15697</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Site Scripting in Proxy Request Headers</li> |
| <li>Published: 2018-01-12</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.4.0</li> |
| <li>Fixed Versions: 1.5.0</li> |
| <li>Reporter: Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-15697" target="_blank">CVE-2017-15697</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15697" target="_blank">CVE-2017-15697</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4501" target="_blank">NIFI-4501</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2279" target="_blank">2279</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause |
| remote code execution. NiFi 1.5.0 includes corrected handling of these headers. Users running a prior release should |
| upgrade to 1.5.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-12623">CVE-2017-12623</h3> |
| |
| <ul> |
| <li>Title: Improper Restriction of XML External Entity References in Template Upload Resources</li> |
| <li>Published: 2017-10-02</li> |
| <li>Severity: High</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.3.0</li> |
| <li>Fixed Versions: 1.4.0</li> |
| <li>Reporter: Paweł Gocyla with further information from Mike Cole</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-12623" target="_blank">CVE-2017-12623</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12623" target="_blank">CVE-2017-12623</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4353" target="_blank">NIFI-4353</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2128" target="_blank">2128</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained |
| malicious code and accessed sensitive files via an XML External Entity (XXE) attack. NiFi 1.14.0 properly handles XML |
| External Entities. Users running a prior release should upgrade to 1.4.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-15703">CVE-2017-15703</h3> |
| |
| <ul> |
| <li>Title: Deserialization of Untrusted Data in Template Upload Resources</li> |
| <li>Published: 2017-10-02</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 to 1.3.0</li> |
| <li>Fixed Versions: 1.4.0</li> |
| <li>Reporter: Mike Cole</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-15703" target="_blank">CVE-2017-15703</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15703" target="_blank">CVE-2017-15703</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4357" target="_blank">NIFI-4357</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2134" target="_blank">2134</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained |
| malicious code and cause a denial of service via Java deserialization. NiFi 1.4.0 properly handles Java deserialization. |
| Users running a prior release should upgrade to 1.4.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-7665">CVE-2017-7665</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Site Scripting in User Interface Components</li> |
| <li>Published: 2017-05-08</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.1 to 0.7.3 and 1.0.0 to 1.2.0</li> |
| <li>Fixed Versions: 0.7.4 and 1.3.0</li> |
| <li>Reporter: Matt Gilman</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-7665" target="_blank">CVE-2017-7665</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7665" target="_blank">CVE-2017-7665</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3906" target="_blank">NIFI-3906</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/1818" target="_blank">1818</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| There are certain user input components in the Apache NiFi UI which had been guarding for some forms of cross-site |
| scripting issues but were insufficient. NiFi 0.7.4 and 1.3.0 add more complete user input sanitization. Users running a |
| prior release should upgrade to 0.7.4 or 1.3.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-7667">CVE-2017-7667</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Frame Scripting from Improper Frame Access Restrictions</li> |
| <li>Published: 2017-05-08</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.0.1 to 0.7.3 and 1.0.0 to 1.2.0</li> |
| <li>Fixed Versions: 0.7.4 and 1.3.0</li> |
| <li>Reporter: Matt Gilman</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-7667" target="_blank">CVE-2017-7667</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7667" target="_blank">CVE-2017-7667</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3907" target="_blank">NIFI-3907</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin. NiFi |
| 0.7.4 and 1.3.0 set the response header. Users running a prior release should upgrade to 0.7.4 or 1.3.0. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-5635">CVE-2017-5635</h3> |
| |
| <ul> |
| <li>Title: Improper Authentication of Replicated Cluster HTTP Requests</li> |
| <li>Published: 2017-02-20</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.7.0 to 0.7.1 and 1.1.0 to 1.1.1</li> |
| <li>Fixed Versions: 0.7.2 and 1.1.2</li> |
| <li>Reporter: Leonardo Dias and Matt Gilman</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-5635" target="_blank">CVE-2017-5635</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5635" target="_blank">CVE-2017-5635</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3487" target="_blank">NIFI-3487</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is |
| used rather than the anonymous user. NiFi 0.7.2 and 1.1.2 remove the negative check for anonymous user before building |
| the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a |
| static constant anonymous user. Users running a prior release should upgrade to 0.7.2 or 1.1.2. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2017-5636">CVE-2017-5636</h3> |
| |
| <ul> |
| <li>Title: Improper Authentication of Replicated Cluster HTTP Requests</li> |
| <li>Published: 2017-02-20</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 0.7.0 to 0.7.1 and 1.1.0 to 1.1.1</li> |
| <li>Fixed Versions: 0.7.2 and 1.1.2</li> |
| <li>Reporter: Andy LoPresto</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-5636" target="_blank">CVE-2017-5636</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5636" target="_blank">CVE-2017-5636</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3487" target="_blank">NIFI-3487</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| In a cluster environment, the proxy chain serialization and deserialization is vulnerable to an injection attack where a |
| carefully crafted username could impersonate another user and gain their permissions on a replicated request to another |
| node. NiFi 0.7.2 and 1.1.2 modify the tokenization code and sanitization of user-provided input. Users running a prior |
| release should upgrade to 0.7.2 or 1.1.2. |
| |
| |
| </p> |
| </div> |
| <div class="vulnerability-container"> |
| <h3 id="CVE-2016-8748">CVE-2016-8748</h3> |
| |
| <ul> |
| <li>Title: Potential Cross-Site Scripting in Connection Details Dialog</li> |
| <li>Published: 2016-12-19</li> |
| <li>Severity: Medium</li> |
| <li>Products: Apache NiFi</li> |
| <li>Affected Versions: 1.0.0 and 1.1.0</li> |
| <li>Fixed Versions: 1.0.1 and 1.1.1</li> |
| <li>Reporter: Matt Gilman</li> |
| <li>References |
| <ul> |
| <li> |
| CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2016-8748" target="_blank">CVE-2016-8748</a> |
| </li> |
| <li> |
| NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-8748" target="_blank">CVE-2016-8748</a> |
| </li> |
| <li> |
| Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3154" target="_blank">NIFI-3154</a> |
| </li> |
| |
| <li> |
| GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/1305" target="_blank">1305</a> |
| </li> |
| |
| </ul> |
| </li> |
| </ul> |
| |
| <p class="vulnerability-description"> |
| |
| |
| There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user |
| supplied text was not being properly handled when added to the DOM. The vulnerability was resolved after reviewing the |
| pull request when merging changes. Users running a prior release should upgrade to 1.0.1 or 1.1.1. |
| |
| |
| </p> |
| </div> |
| |
| </div> |
| </main> |
| <footer> |
| <div class="uk-container"> |
| <div class="uk-flex uk-grid uk-grid-large"> |
| <div class="uk-width-1-2@m"> |
| <p> |
| <a class="uk-link-reset" href="/"> |
| <img src="/images/apache-nifi-logo.svg" class="footer-logo" alt="Apache NiFi Logo"/> |
| </a> |
| <a class="uk-link-reset" href="https://apache.org"> |
| <img src="/images/apache-logo.svg" class="footer-logo uk-margin-left" alt="Apache Software Foundation Logo"/> |
| </a> |
| </p> |
| <p> |
| Copyright © 2024 The Apache Software Foundation under the terms of the |
| <a href="https://www.apache.org/licenses/LICENSE-2.0.html">Apache License, Version 2.0</a> |
| </p> |
| <p> |
| Apache NiFi, NiFi, and the NiFi logo are trademarks of |
| <a href="https://apache.org/">The Apache Software Foundation</a> |
| </p> |
| </div> |
| <div class="uk-width-1-4@m"> |
| <h3><a href="/">Project</a></h3> |
| <ul> |
| <li><a href="https://issues.apache.org/jira/browse/NIFI">Issues</a></li> |
| <li><a href="https://github.com/apache/nifi">Source</a></li> |
| <li><a href="https://www.linkedin.com/company/apache-nifi/">LinkedIn</a></li> |
| <li><a href="https://join.slack.com/t/apachenifi/shared_invite/zt-2ccusmst2-l2KrTzJLrGcHOO0V7~XD4g">Slack</a></li> |
| <li><a href="https://nifi.apache.org/documentation/security/">Security</a></li> |
| </ul> |
| </div> |
| <div class="uk-width-1-4@m"> |
| <h3><a href="https://www.apache.org/">Apache</a></h3> |
| <ul> |
| <li><a href="https://www.apache.org/licenses/">License</a></li> |
| <li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a></li> |
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </footer> |
| <script src="/uikit/js/uikit.min.js"></script> |
| <script src="/uikit/js/uikit-icons.min.js"></script> |
| </body> |
| </html> |