Google Git
Sign in
apache / nifi-site / 440c96d8b6646e9253077a3d9c1e82ca2a5eb14e / . / documentation / security / index.html
blob: ea824471a1e82a00aabce3ca369521024b212b1c [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Reporting - Apache NiFi</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data">
<meta name="keywords" content="apache,nifi,data,distribution">
<title>Security Reporting - Apache NiFi</title>
<meta property="og:title" content="Security Reporting">
<meta property="og:type" content="article">
<meta property="og:url" content="https://nifi.apache.org/documentation/security/">
<meta property="og:description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data">
<meta property="og:site_name" content="Apache NiFi">
<meta property="og:image" content="https://nifi.apache.org/images/project-brand.jpg?version=1">
<meta name="twitter:title" content="Security Reporting">
<meta name="twitter:description" content="Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:creator" content="apachenifi">
<meta name="twitter:image" content="https://nifi.apache.org/images/project-brand.jpg?version=1">
<link rel="icon" href="/images/apache-nifi-drop-logo.svg">
<link rel="stylesheet" href="/uikit/css/uikit.min.css">
<link rel="stylesheet" href="/css/main.css?version=1">
<script>
var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var baseUri = "//matomo.privacy.apache.org/";
_paq.push(['setTrackerUrl', baseUri + 'matomo.php']);
_paq.push(['setSiteId', '28']);
var trackerElement = document.createElement('script');
var firstScriptElement = document.getElementsByTagName('script')[0];
trackerElement.async = true;
trackerElement.src = baseUri + 'matomo.js';
var firstScriptElement = document.getElementsByTagName('script')[0];
if (window.location.host === 'nifi.apache.org') {
firstScriptElement.parentNode.insertBefore(trackerElement, firstScriptElement);
}
})();
</script>
</head>
<body class="section-background">
<div class="nav-container" uk-sticky="sel-target: .uk-navbar-container; cls-active: uk-navbar-sticky">
<nav class="uk-container uk-navbar-container uk-navbar-transparent" uk-navbar>
<div class="uk-navbar-left">
<ul class="uk-navbar-nav">
<li>
<a class="uk-navbar-item" href="/">
<img src="/images/apache-nifi-drop-logo.svg" alt="Apache NiFi Logo" class="navbar-logo" width="36" height="48" />
</a>
</li>
<li class="uk-hidden@s">
<a href="#" class="uk-navbar-toggle" uk-navbar-toggle-icon uk-toggle="target: #mobile-menu"></a>
</li>
<li class="uk-visible@s uk-active">
<a href="/documentation/">Documentation</a>
<ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;">
<li class="">
<a href="/documentation/v2/" >
NiFi Version 2 Documentation
</a>
</li>
<li class="">
<a href="/documentation/v1/" >
NiFi Version 1 Documentation
</a>
</li>
<li class="">
<a href="/documentation/guides/" >
Guides
</a>
</li>
<li class="uk-active">
<a href="/documentation/security/" >
Security Reporting
</a>
</li>
<li class="">
<a href="https://cwiki.apache.org/confluence/display/NIFI" target="_blank" rel="noopener noreferrer">
Wiki
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
<li class="uk-visible@s ">
<a href="/development/">Development</a>
<ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;">
<li class="">
<a href="https://cwiki.apache.org/confluence/display/NIFI/Contributor&#43;Guide" target="_blank" rel="noopener noreferrer">
Contributing
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://issues.apache.org/jira/browse/NIFI" target="_blank" rel="noopener noreferrer">
Issues
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://github.com/apache/nifi" target="_blank" rel="noopener noreferrer">
Source
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
<li class="uk-visible@s ">
<a href="/community/">Community</a>
<ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;">
<li class="">
<a href="/community/contact/" >
Contact
</a>
</li>
<li class="">
<a href="/community/powered-by/" >
Powered By
</a>
</li>
<li class="">
<a href="/community" >
Team
</a>
</li>
</ul>
</li>
<li class="uk-visible@s ">
<a href="/projects/">Projects</a>
<ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;">
<li class="">
<a href="/projects/minifi/" >
MiNiFi
</a>
</li>
<li class="">
<a href="/projects/registry/" >
Registry
</a>
</li>
<li class="">
<a href="/projects/fds/" >
Flow Design System
</a>
</li>
</ul>
</li>
<li class="uk-visible@s ">
<a href="https://www.apache.org">Apache</a>
<ul class="uk-dropdown" uk-dropdown="mode: click; animation: uk-animation-slide-top-small; duration: 300;">
<li class="">
<a href="https://apache.org/events/current-event" target="_blank" rel="noopener noreferrer">
Events
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/licenses" target="_blank" rel="noopener noreferrer">
License
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank" rel="noopener noreferrer">
Privacy
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer">
Security
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer">
Sponsorship
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer">
Thanks
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
</ul>
</div>
<div class="uk-navbar-right">
<ul class="uk-navbar-nav">
<li>
<div class="uk-navbar-item">
<a class="uk-icon-link navbar-icon" uk-icon="icon: github; ratio: 2" href="https://github.com/apache/nifi"></a>
</div>
</li>
<li>
<div class="uk-navbar-item">
<a class="uk-button uk-button-primary uk-icon" href="/download/">
Download
</a>
</div>
</li>
</ul>
</div>
</nav>
</div>
<div id="mobile-menu" uk-offcanvas class="uk-offcanvas">
<div class="uk-offcanvas-bar">
<ul class="uk-navbar-nav" uk-accordion>
<li class="uk-active">
<a class="uk-accordion-title" >Documentation</a>
<ul class="uk-accordion-content">
<li class="">
<a href="/documentation/v2/" >
NiFi Version 2 Documentation
</a>
</li>
<li class="">
<a href="/documentation/v1/" >
NiFi Version 1 Documentation
</a>
</li>
<li class="">
<a href="/documentation/guides/" >
Guides
</a>
</li>
<li class="uk-active">
<a href="/documentation/security/" >
Security Reporting
</a>
</li>
<li class="">
<a href="https://cwiki.apache.org/confluence/display/NIFI" target="_blank" rel="noopener noreferrer">
Wiki
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
<li class="">
<a class="uk-accordion-title" >Development</a>
<ul class="uk-accordion-content">
<li class="">
<a href="https://cwiki.apache.org/confluence/display/NIFI/Contributor&#43;Guide" target="_blank" rel="noopener noreferrer">
Contributing
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://issues.apache.org/jira/browse/NIFI" target="_blank" rel="noopener noreferrer">
Issues
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://github.com/apache/nifi" target="_blank" rel="noopener noreferrer">
Source
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
<li class="">
<a class="uk-accordion-title" >Community</a>
<ul class="uk-accordion-content">
<li class="">
<a href="/community/contact/" >
Contact
</a>
</li>
<li class="">
<a href="/community/powered-by/" >
Powered By
</a>
</li>
<li class="">
<a href="/community" >
Team
</a>
</li>
</ul>
</li>
<li class="">
<a class="uk-accordion-title" >Projects</a>
<ul class="uk-accordion-content">
<li class="">
<a href="/projects/minifi/" >
MiNiFi
</a>
</li>
<li class="">
<a href="/projects/registry/" >
Registry
</a>
</li>
<li class="">
<a href="/projects/fds/" >
Flow Design System
</a>
</li>
</ul>
</li>
<li class="">
<a class="uk-accordion-title" >Apache</a>
<ul class="uk-accordion-content">
<li class="">
<a href="https://apache.org/events/current-event" target="_blank" rel="noopener noreferrer">
Events
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/licenses" target="_blank" rel="noopener noreferrer">
License
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank" rel="noopener noreferrer">
Privacy
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer">
Security
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer">
Sponsorship
<span uk-icon="link"></span>
</a>
</li>
<li class="">
<a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer">
Thanks
<span uk-icon="link"></span>
</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
<main>
<div class="uk-container">
<h1 id="apache-hahahugoshortcode-s0-hbhb-security">Apache <span class="ni">Ni</span><span class="fi">Fi</span>
Security</h1>
<p>Apache NiFi welcomes the responsible reporting of security vulnerabilities. Project Management Committee members will
collaborate and respond to potential vulnerabilities, providing an assessment of the concern and a plan of action to
remediate verified issues.</p>
<h2 id="reporting-policy">Reporting Policy</h2>
<p>Please read the <a href="https://www.apache.org/security/committers.html">Apache Project Security for Committers</a>
policy for general guidelines applicable disclosure of security issues for Apache Software Foundation projects.</p>
<p>Do not perform the following actions after discovering a potential security concern:</p>
<ul>
<li>Open a Jira disclosing a security vulnerability to the public</li>
<li>Send a message to the project mailing lists disclosing a security vulnerability to the public</li>
<li>Send a message to the project Slack instance disclosing a security vulnerability to the public</li>
</ul>
<h2 id="reporting-guidelines">Reporting Guidelines</h2>
<p>Configuring dangerous operating system commands or custom scripts is not a project security vulnerability.
Authenticated and authorized users are responsible for the security of operating system commands and custom
code.</p>
<p>Apache NiFi provides a framework for developing processing pipelines using standard and custom
components. The framework supports configurable permissions that enable authorized users to execute code
using several standard components. Components such as ExecuteProcess and ExecuteStreamCommand support
running operating system commands, while other scripted components support executing custom code using
different programming languages. Configuring these components with untrusted commands or arguments is
contrary to best practices, but it does not constitute of security issue for remediation.</p>
<h2 id="reporting-process">Reporting Process</h2>
<ul>
<li>Notify the project on initial discovery of a potential security vulnerability</li>
<li>Provide a reasonable amount of time for an initial assessment and remediation plan</li>
<li>Limit interaction to accounts under direct control or accounts with explicit permission of the owner</li>
<li>Avoid privacy violations, destruction of data, and interruption or degradation of services</li>
<li>Avoid spamming, social engineering, and methods to manipulate project members</li>
</ul>
<h2 id="reporting-methods">Reporting Methods</h2>
<ul>
<li>Security Mailing List: <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a>
<ul>
<li>Members of the Project Management Committee monitor this private mailing list and respond to disclosures</li>
</ul>
</li>
</ul>
<h2 id="severity-ratings">Severity Ratings</h2>
<p>Severity ratings represent the determination of project members based on an evaluation of
<a href="https://www.first.org/cvss/">Common Vulnerability Scoring System</a> calculations.</p>
<ul>
<li>Critical: Arbitrary code execution from a remote attacker</li>
<li>High: Compromise of integrity or availability through resource exhaustion</li>
<li>Medium: Requires special configuration settings and significant mitigations are available</li>
<li>Low: Minimal impact and significant difficulty of exploitation</li>
</ul>
<h1 id="published-vulnerabilities">Published Vulnerabilities</h1>
<p>The following announcements include published vulnerabilities that apply directly to Apache NiFi components.</p>
<div class="vulnerability-container">
<h3 id="CVE-2023-49145">CVE-2023-49145</h3>
<ul>
<li>Title: Improper Neutralization of Input in Advanced User Interface for Jolt</li>
<li>Published: 2023-11-27</li>
<li>Severity: High</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.7.0 to 1.23.2</li>
<li>Fixed Versions: 1.24.0</li>
<li>Reporter: Dr. Oliver Matula, DB Systel GmbH</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-49145" target="_blank">CVE-2023-49145</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-49145" target="_blank">CVE-2023-49145</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-12403" target="_blank">NIFI-12403</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/8060" target="_blank">8060</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user
interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure
a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session
context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2023-40037">CVE-2023-40037</h3>
<ul>
<li>Title: Incomplete Validation of JDBC and JNDI Connection URLs</li>
<li>Published: 2023-08-18</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.21.0 to 1.23.0</li>
<li>Fixed Versions: 1.23.1</li>
<li>Reporter: Matei &#39;Mal&#39; Badanoiu</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-40037" target="_blank">CVE-2023-40037</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-40037" target="_blank">CVE-2023-40037</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11920" target="_blank">NIFI-11920</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7586" target="_blank">7586</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with
connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and
authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection
URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the
recommended mitigation.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2023-36542">CVE-2023-36542</h3>
<ul>
<li>Title: Potential Code Injection with Properties Referencing Remote Resources</li>
<li>Published: 2023-07-28</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.2 to 1.22.0</li>
<li>Fixed Versions: 1.23.0</li>
<li>Reporter: nbxiglk</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-36542" target="_blank">CVE-2023-36542</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-36542" target="_blank">CVE-2023-36542</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11744" target="_blank">NIFI-11744</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7426" target="_blank">7426</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for
retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code
execution. The resolution introduces a new Required Permission for referencing remote resources, restricting
configuration of these components to privileged users. The permission prevents unprivileged users from configuring
Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache
NiFi 1.23.0 is the recommended mitigation.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2023-34468">CVE-2023-34468</h3>
<ul>
<li>Title: Potential Code Injection with Database Services using H2</li>
<li>Published: 2023-06-12</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.2 to 1.21.0</li>
<li>Fixed Versions: 1.22.0</li>
<li>Reporter: Matei &#39;Mal&#39; Badanoiu</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-34468" target="_blank">CVE-2023-34468</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34468" target="_blank">CVE-2023-34468</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11653" target="_blank">NIFI-11653</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7349" target="_blank">7349</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an
authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations. Upgrading to NiFi 1.22.0 disables H2 JDBC URLs
in the default configuration.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2023-34212">CVE-2023-34212</h3>
<ul>
<li>Title: Potential Deserialization of Untrusted Data with JNDI in JMS Components</li>
<li>Published: 2023-06-12</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.8.0 to 1.21.0</li>
<li>Fixed Versions: 1.22.0</li>
<li>Reporter: Veraxy00 of Qianxin TI Center and Matei &#39;Mal&#39; Badanoiu</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-34212" target="_blank">CVE-2023-34212</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34212" target="_blank">CVE-2023-34212</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11614" target="_blank">NIFI-11614</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/7313" target="_blank">7313</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The JndiJmsConnectionFactoryProvider Controller Service along with the ConsumeJMS and PublishJMS Processors, in Apache
NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable
deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations
to a set of allowed schemes. Upgrading to NiFi 1.22.0 disables LDAP for JNDI URLs in the default configuration.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2023-22832">CVE-2023-22832</h3>
<ul>
<li>Title: Improper Restriction of XML External Entity References in ExtractCCDAAttributes</li>
<li>Published: 2023-02-09</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.2.0 to 1.19.1</li>
<li>Fixed Versions: 1.20.0</li>
<li>Reporter: Yi Cai of Chaitin Tech</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2023-22832" target="_blank">CVE-2023-22832</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22832" target="_blank">CVE-2023-22832</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-11029" target="_blank">NIFI-11029</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/6828" target="_blank">6828</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity
references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML
documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document
Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. Upgrading to NiFi
1.20.0 disables Document Type Declarations in the default configuration for ExtractCCDAAttributes.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2022-33140">CVE-2022-33140</h3>
<ul>
<li>Title: Improper Neutralization of Command Elements in Shell User Group Provider</li>
<li>Published: 2022-06-15</li>
<li>Severity: High</li>
<li>Products: Apache NiFi and Apache NiFi Registry</li>
<li>Affected Versions: 1.10.0 to 1.16.2</li>
<li>Fixed Versions: 1.20.0</li>
<li>Reporter: Anonymous</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-33140" target="_blank">CVE-2022-33140</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33140" target="_blank">CVE-2022-33140</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-10114" target="_blank">NIFI-10114</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/6122" target="_blank">6122</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not
neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS
platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires
ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection
also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with
authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with
authorization to read user groups to execute the command. NiFi and NiFi Registry version 1.16.3 has completely removed
the shell commands from the ShellUserGroupProvider that received user arguments.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2022-29265">CVE-2022-29265</h3>
<ul>
<li>Title: Improper Restriction of XML External Entity References in Multiple Components</li>
<li>Published: 2022-04-29</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.1 to 1.16.0</li>
<li>Fixed Versions: 1.16.1</li>
<li>Reporter: David Handermann at exceptionfactory.com</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-29265" target="_blank">CVE-2022-29265</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29265" target="_blank">CVE-2022-29265</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9901" target="_blank">NIFI-9901</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5962" target="_blank">5962</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default
configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing
formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with
default property values: EvaluateXPath, EvaluateXQuery, and ValidateXml. Apache NiFi flow configurations that include
these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External
Entity references. Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these
processors, and disallows XML External Entity resolution in standard services.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2022-26850">CVE-2022-26850</h3>
<ul>
<li>Title: Insufficiently Protected Credentials for Single-User Authentication</li>
<li>Published: 2022-03-27</li>
<li>Severity: Low</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.14.0 to 1.15.3</li>
<li>Fixed Versions: 1.16.0</li>
<li>Reporter: Jonathan Leitschuh at twitter.com/jlleitschuh</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2022-26850" target="_blank">CVE-2022-26850</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-26850" target="_blank">CVE-2022-26850</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9785" target="_blank">NIFI-9785</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5856" target="_blank">5856</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers
configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the
username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has
global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which
significantly limited the window of opportunity for access. Bcrypt is a password-hashing algorithm that incorporates a
random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt
algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers. NiFi 1.16.0
includes updates to replace the Login Identity Providers configuration without writing a file to the operating system
temporary directory.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2021-44145">CVE-2021-44145</h3>
<ul>
<li>Title: Potential Information Disclosure through XML External Entity Resoltion in TransformXML</li>
<li>Published: 2021-12-15</li>
<li>Severity: Low</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.1.0 to 1.15.0</li>
<li>Fixed Versions: 1.15.1</li>
<li>Reporter: DangKhai at Viettel Cyber Security</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2021-44145" target="_blank">CVE-2021-44145</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44145" target="_blank">CVE-2021-44145</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-9399" target="_blank">NIFI-9399</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/5542" target="_blank">5542</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
In the TransformXML processor, an authenticated user could configure an XSLT file which, if it included malicious
external entity calls, may reveal sensitive information. The Secure processing property in TransformXML will now apply
to the configured XSLT file as well as flow files being transformed. Users running any previous NiFi release should
upgrade to 1.15.1.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-9486">CVE-2020-9486</h3>
<ul>
<li>Title: Potential Information Disclosure in Application Logs</li>
<li>Published: 2020-08-18</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.10.0 to 1.11.4</li>
<li>Fixed Versions: 1.12.0</li>
<li>Reporter: Andy LoPresto and Pierre Villard</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9486" target="_blank">CVE-2020-9486</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9486" target="_blank">CVE-2020-9486</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7377" target="_blank">NIFI-7377</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4222" target="_blank">4222</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was
triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
NiFi 1.12.0 implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the
sensitive value. Users running any previous NiFi release should upgrade to 1.12.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-9487">CVE-2020-9487</h3>
<ul>
<li>Title: Potential Denial of Service with Token Authentication Requests</li>
<li>Published: 2020-08-18</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.11.4</li>
<li>Fixed Versions: 1.12.0</li>
<li>Reporter: Dennis Detering, IT Security Consultant at Spike Reply</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9487" target="_blank">CVE-2020-9487</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9487" target="_blank">CVE-2020-9487</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7385" target="_blank">NIFI-7385</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4271" target="_blank">4271</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to
create a download token, only when attempting to use the token to access the content. An unauthenticated user could
repeatedly request download tokens, preventing legitimate users from requesting download tokens. NiFi 1.12.0 disabled
anonymous authentication, implemented a multi-indexed cache, and limited token creation requests to
one concurrent request per user. Users running any previous NiFi release should upgrade to 1.12.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-9491">CVE-2020-9491</h3>
<ul>
<li>Title: Insecure TLS Protocol Versions for Cluster Communication</li>
<li>Published: 2020-08-18</li>
<li>Severity: High</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.2.0 to 1.11.4</li>
<li>Fixed Versions: 1.12.0</li>
<li>Reporter: Juan Carlos Sequeiros and Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9491" target="_blank">CVE-2020-9491</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9491" target="_blank">CVE-2020-9491</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7407" target="_blank">NIFI-7407</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4263" target="_blank">4263</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors
like ListenHTTP and HandleHttpRequest. However intra-cluster communication such as cluster request replication,
Site-to-Site, and load balanced queues continued to support TLS 1.0 or 1.1. NiFI 1.12.0 refactored disparate internal
SSL and TLS code, reducing exposure for extension and framework developers to low-level primitives. NiFi 1.12. also
added support for TLS v1.3 on supporting JVMs. This version restricted all incoming TLS communications to TLS
1.2 or higher. Users running any previous NiFi release should upgrade to 1.12.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-13940">CVE-2020-13940</h3>
<ul>
<li>Title: Potential Information Disclosure through XML External Entity Resolution in Notification Service</li>
<li>Published: 2020-08-18</li>
<li>Severity: Low</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.11.4</li>
<li>Fixed Versions: 1.12.0</li>
<li>Reporter: Matt Burgess and Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-13940" target="_blank">CVE-2020-13940</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13940" target="_blank">CVE-2020-13940</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7680" target="_blank">NIFI-7680</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4436" target="_blank">4436</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The notification service manager and various policy authorizer and user group provider objects allowed trusted
administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make
external calls to services through XML External Entity resolution. NiFi 1.12.0 introduced an XML validator to prevent
malicious code from being parsed and executed. Users running any previous NiFi release should upgrade to 1.12.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-9482">CVE-2020-9482</h3>
<ul>
<li>Title: Application Bearer Token Remains Valid After Logout Completion</li>
<li>Published: 2020-04-07</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi Registry</li>
<li>Affected Versions: 0.1.0 to 0.5.0</li>
<li>Fixed Versions: 0.6.0</li>
<li>Reporter: Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-9482" target="_blank">CVE-2020-9482</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9482" target="_blank">CVE-2020-9482</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFIREG-361" target="_blank">NIFIREG-361</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry
invalidates the authentication token on the client side but not on the server side. This permits the user's client-side
token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. NiFi Registry 0.6.0
invalidates the server-side authentication token immediately after the user clicks the Log Out link.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-1942">CVE-2020-1942</h3>
<ul>
<li>Title: Potential Information Disclosure in Application Logs</li>
<li>Published: 2020-02-04</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.1 to 1.11.0</li>
<li>Fixed Versions: 1.11.1</li>
<li>Reporter: Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1942" target="_blank">CVE-2020-1942</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1942" target="_blank">CVE-2020-1942</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7079" target="_blank">NIFI-7079</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/4208" target="_blank">4208</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the
event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the
cluster and local flow was printed, potentially containing sensitive values in plaintext. NiFi 1.11.1i implemented
Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running
any previous NiFi release should upgrade to 1.11.1.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-1928">CVE-2020-1928</h3>
<ul>
<li>Title: Potential Information Disclosure in Application Debug Logs</li>
<li>Published: 2020-01-22</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.10.0</li>
<li>Fixed Versions: 1.11.0</li>
<li>Reporter: Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1928" target="_blank">CVE-2020-1928</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1928" target="_blank">CVE-2020-1928</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6948" target="_blank">NIFI-6948</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3935" target="_blank">3935</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose
literal values entered a sensitive property when no parameter was present. NiFi 1.11.0 removed debug logging from the
class. Users running the 1.10.0 release should upgrade to 1.11.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2020-1933">CVE-2020-1933</h3>
<ul>
<li>Title: Potential Cross-Site Scripting in Uploaded Templates</li>
<li>Published: 2020-01-22</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.10.0</li>
<li>Fixed Versions: 1.11.0</li>
<li>Reporter: Jakub Palaczynski of ING Tech Poland</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2020-1933" target="_blank">CVE-2020-1933</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1933" target="_blank">CVE-2020-1933</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-7023" target="_blank">NIFI-7023</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3991" target="_blank">3991</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear
to occur in other browsers. NiFi 1.11.0 adds sanitization of the error response ensures the XSS would not be executed.
Users running earlier versions should upgrade to 1.11.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2019-10080">CVE-2019-10080</h3>
<ul>
<li>Title: Potential Information Disclosure through XML External Entity Resolution in File Lookup Service</li>
<li>Published: 2019-11-04</li>
<li>Severity: Low</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.3.0 to 1.9.2</li>
<li>Fixed Versions: 1.10.0</li>
<li>Reporter: RunningSnail</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-10080" target="_blank">CVE-2019-10080</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10080" target="_blank">CVE-2019-10080</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6301" target="_blank">NIFI-6301</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3507" target="_blank">3507</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file
has the ability to make external calls to services using XML External Entity resolution and reveal information such as
the versions of Java, Jersey, and Apache that the NiFI instance uses. NiFi 1.10.0 adds a validator to ensure the XML
file is not malicious. Users running a prior release should upgrade to 1.10.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2019-12421">CVE-2019-12421</h3>
<ul>
<li>Title: Application Bearer Token Remains Valid After Logout Completion</li>
<li>Published: 2019-11-04</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.9.2</li>
<li>Fixed Versions: 1.10.0</li>
<li>Reporter: Abdu Sahin</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-12421" target="_blank">CVE-2019-12421</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12421" target="_blank">CVE-2019-12421</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6085" target="_blank">NIFI-6085</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3362" target="_blank">3362</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the
authentication token on the client side but not on the server side. This permits the user's client-side token to be used
for up to 12 hours after logging out to make API requests to NiFi. NiFi 1.10.0 invalidates the server-side
authentication token immediately after the user clicks the Log Out link. Users running a prior release should
upgrade to 1.10.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2019-10083">CVE-2019-10083</h3>
<ul>
<li>Title: Potential Information Disclosure in Process Group Resources</li>
<li>Published: 2019-11-04</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.9.2</li>
<li>Fixed Versions: 1.10.0</li>
<li>Reporter: Mark Payne</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2019-10083" target="_blank">CVE-2019-10083</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10083" target="_blank">CVE-2019-10083</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-6302" target="_blank">NIFI-6302</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3477" target="_blank">3477</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
When updating a Process Group via the API, the response to the request includes all of its contents (at the top most
level, not recursively). The response included details about processors and controller services which the user may not
have had read access to. Requests to update or remove the process group will no longer return the contents of the
process group in the response in Apache NiFi 1.10.0. Users running a prior release should upgrade to 1.10.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-17192">CVE-2018-17192</h3>
<ul>
<li>Title: Improper Restriction of Browser Frame Access</li>
<li>Published: 2018-10-26</li>
<li>Severity: Low</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.6.0</li>
<li>Fixed Versions: 1.8.0</li>
<li>Reporter: Suchithra V N</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17192" target="_blank">CVE-2018-17192</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17192" target="_blank">CVE-2018-17192</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5258" target="_blank">NIFI-5258</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2759" target="_blank">2759</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing
security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. NiFi 1.8.0
consistently applies the security headers including X-Frame-Options. Users running a prior release should upgrade to
1.8.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-17193">CVE-2018-17193</h3>
<ul>
<li>Title: Improper Neutralization of Input in Proxy Request Headers</li>
<li>Published: 2018-10-26</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.7.1</li>
<li>Fixed Versions: 1.8.0</li>
<li>Reporter: Dan Fike with assistance from Patrick White</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17193" target="_blank">CVE-2018-17193</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17193" target="_blank">CVE-2018-17193</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5442" target="_blank">NIFI-5442</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2908" target="_blank">2908</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization,
resulting in a potential reflected cross-site scripting attack. NiFi 1.8.0 correctly parses and sanitizes the request
attribute value. Users running a prior release should upgrade to 1.8.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-17194">CVE-2018-17194</h3>
<ul>
<li>Title: Potential Denial of Service with HTTP DELETE Cluster Replication Requests</li>
<li>Published: 2018-10-26</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.7.1</li>
<li>Fixed Versions: 1.8.0</li>
<li>Reporter: Mike Cole and Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17194" target="_blank">CVE-2018-17194</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17194" target="_blank">CVE-2018-17194</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5628" target="_blank">NIFI-5628</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3035" target="_blank">3035</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the
Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length
value other than 0, the receiving nodes would wait for the body and eventually timeout. NiFi 1.8.0 checks DELETE
requests and overwrites non-zero Content-Length header. Users running a prior release should upgrade to 1.8.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-17195">CVE-2018-17195</h3>
<ul>
<li>Title: Potential Cross-Site Request Forgery in Template Upload Resources</li>
<li>Published: 2018-10-26</li>
<li>Severity: Critical</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.7.1</li>
<li>Fixed Versions: 1.8.0</li>
<li>Reporter: Mike Cole</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-17195" target="_blank">CVE-2018-17195</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-17195" target="_blank">CVE-2018-17195</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-5595" target="_blank">NIFI-5595</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/3024" target="_blank">3024</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing and
meddler in the middle (MITM) intervention, resulting in cross-site request forgery. The required attack vector is
complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code
into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a
Critical severity level. NiFi 1.8.0 applies Cross-Origin Resource Sharing (CORS) policy request filtering. Users running
a prior release should upgrade to 1.8.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-1309">CVE-2018-1309</h3>
<ul>
<li>Title: Improper Restriction of XML External Entity References in SplitXml</li>
<li>Published: 2018-04-08</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.1.0 to 1.5.0</li>
<li>Fixed Versions: 1.6.0</li>
<li>Reporter: 圆珠笔</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-1309" target="_blank">CVE-2018-1309</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1309" target="_blank">CVE-2018-1309</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4869" target="_blank">NIFI-4869</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2466" target="_blank">2466</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Malicious XML content could cause information disclosure or remote code execution in the SplitXml Processor. NiFi 1.6.0
disables external general entity parsing and disallows document type declarations in SplitXml. Users running a prior
release should upgrade to 1.6.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2018-1310">CVE-2018-1310</h3>
<ul>
<li>Title: Potential Denial of Service in JMS Processors</li>
<li>Published: 2018-04-08</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.1.0 to 1.5.0</li>
<li>Fixed Versions: 1.6.0</li>
<li>Reporter: 圆珠笔</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2018-1310" target="_blank">CVE-2018-1310</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1310" target="_blank">CVE-2018-1310</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4870" target="_blank">NIFI-4870</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2469" target="_blank">2469</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Malicious JMS content could cause denial of service in impacted Processors. See ActiveMQ CVE-2015-5254 announcement for
more information. NiFi 1.6.0 upgrades the activemq-client library to 5.15.3. Users running a prior release should
upgrade to 1.6.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-12632">CVE-2017-12632</h3>
<ul>
<li>Title: Improper Input Validation of HTTP Host Request Headers</li>
<li>Published: 2018-01-12</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.1.0 to 1.4.0</li>
<li>Fixed Versions: 1.5.0</li>
<li>Reporter: Mike Cole</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-12632" target="_blank">CVE-2017-12632</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12632" target="_blank">CVE-2017-12632</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4501" target="_blank">NIFI-4501</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2279" target="_blank">2279</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. NiFi
1.5.0 sanitizes host headers and compares to a controlled whitelist property. Users running a prior release should
upgrade to 1.5.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-15697">CVE-2017-15697</h3>
<ul>
<li>Title: Potential Cross-Site Scripting in Proxy Request Headers</li>
<li>Published: 2018-01-12</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.4.0</li>
<li>Fixed Versions: 1.5.0</li>
<li>Reporter: Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-15697" target="_blank">CVE-2017-15697</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15697" target="_blank">CVE-2017-15697</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4501" target="_blank">NIFI-4501</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2279" target="_blank">2279</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause
remote code execution. NiFi 1.5.0 includes corrected handling of these headers. Users running a prior release should
upgrade to 1.5.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-12623">CVE-2017-12623</h3>
<ul>
<li>Title: Improper Restriction of XML External Entity References in Template Upload Resources</li>
<li>Published: 2017-10-02</li>
<li>Severity: High</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.3.0</li>
<li>Fixed Versions: 1.4.0</li>
<li>Reporter: Paweł Gocyla with further information from Mike Cole</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-12623" target="_blank">CVE-2017-12623</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12623" target="_blank">CVE-2017-12623</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4353" target="_blank">NIFI-4353</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2128" target="_blank">2128</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained
malicious code and accessed sensitive files via an XML External Entity (XXE) attack. NiFi 1.14.0 properly handles XML
External Entities. Users running a prior release should upgrade to 1.4.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-15703">CVE-2017-15703</h3>
<ul>
<li>Title: Deserialization of Untrusted Data in Template Upload Resources</li>
<li>Published: 2017-10-02</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 to 1.3.0</li>
<li>Fixed Versions: 1.4.0</li>
<li>Reporter: Mike Cole</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-15703" target="_blank">CVE-2017-15703</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15703" target="_blank">CVE-2017-15703</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-4357" target="_blank">NIFI-4357</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/2134" target="_blank">2134</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained
malicious code and cause a denial of service via Java deserialization. NiFi 1.4.0 properly handles Java deserialization.
Users running a prior release should upgrade to 1.4.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-7665">CVE-2017-7665</h3>
<ul>
<li>Title: Potential Cross-Site Scripting in User Interface Components</li>
<li>Published: 2017-05-08</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.1 to 0.7.3 and 1.0.0 to 1.2.0</li>
<li>Fixed Versions: 0.7.4 and 1.3.0</li>
<li>Reporter: Matt Gilman</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-7665" target="_blank">CVE-2017-7665</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7665" target="_blank">CVE-2017-7665</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3906" target="_blank">NIFI-3906</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/1818" target="_blank">1818</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
There are certain user input components in the Apache NiFi UI which had been guarding for some forms of cross-site
scripting issues but were insufficient. NiFi 0.7.4 and 1.3.0 add more complete user input sanitization. Users running a
prior release should upgrade to 0.7.4 or 1.3.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-7667">CVE-2017-7667</h3>
<ul>
<li>Title: Potential Cross-Frame Scripting from Improper Frame Access Restrictions</li>
<li>Published: 2017-05-08</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.0.1 to 0.7.3 and 1.0.0 to 1.2.0</li>
<li>Fixed Versions: 0.7.4 and 1.3.0</li>
<li>Reporter: Matt Gilman</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-7667" target="_blank">CVE-2017-7667</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7667" target="_blank">CVE-2017-7667</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3907" target="_blank">NIFI-3907</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin. NiFi
0.7.4 and 1.3.0 set the response header. Users running a prior release should upgrade to 0.7.4 or 1.3.0.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-5635">CVE-2017-5635</h3>
<ul>
<li>Title: Improper Authentication of Replicated Cluster HTTP Requests</li>
<li>Published: 2017-02-20</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.7.0 to 0.7.1 and 1.1.0 to 1.1.1</li>
<li>Fixed Versions: 0.7.2 and 1.1.2</li>
<li>Reporter: Leonardo Dias and Matt Gilman</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-5635" target="_blank">CVE-2017-5635</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5635" target="_blank">CVE-2017-5635</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3487" target="_blank">NIFI-3487</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is
used rather than the anonymous user. NiFi 0.7.2 and 1.1.2 remove the negative check for anonymous user before building
the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a
static constant anonymous user. Users running a prior release should upgrade to 0.7.2 or 1.1.2.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2017-5636">CVE-2017-5636</h3>
<ul>
<li>Title: Improper Authentication of Replicated Cluster HTTP Requests</li>
<li>Published: 2017-02-20</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 0.7.0 to 0.7.1 and 1.1.0 to 1.1.1</li>
<li>Fixed Versions: 0.7.2 and 1.1.2</li>
<li>Reporter: Andy LoPresto</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2017-5636" target="_blank">CVE-2017-5636</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5636" target="_blank">CVE-2017-5636</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3487" target="_blank">NIFI-3487</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
In a cluster environment, the proxy chain serialization and deserialization is vulnerable to an injection attack where a
carefully crafted username could impersonate another user and gain their permissions on a replicated request to another
node. NiFi 0.7.2 and 1.1.2 modify the tokenization code and sanitization of user-provided input. Users running a prior
release should upgrade to 0.7.2 or 1.1.2.
</p>
</div>
<div class="vulnerability-container">
<h3 id="CVE-2016-8748">CVE-2016-8748</h3>
<ul>
<li>Title: Potential Cross-Site Scripting in Connection Details Dialog</li>
<li>Published: 2016-12-19</li>
<li>Severity: Medium</li>
<li>Products: Apache NiFi</li>
<li>Affected Versions: 1.0.0 and 1.1.0</li>
<li>Fixed Versions: 1.0.1 and 1.1.1</li>
<li>Reporter: Matt Gilman</li>
<li>References
<ul>
<li>
CVE Record: <a href="https://www.cve.org/CVERecord?id=CVE-2016-8748" target="_blank">CVE-2016-8748</a>
</li>
<li>
NVD Record: <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-8748" target="_blank">CVE-2016-8748</a>
</li>
<li>
Apache Jira Issue: <a href="https://issues.apache.org/jira/browse/NIFI-3154" target="_blank">NIFI-3154</a>
</li>
<li>
GitHub Pull Request: <a href="https://github.com/apache/nifi/pull/1305" target="_blank">1305</a>
</li>
</ul>
</li>
</ul>
<p class="vulnerability-description">
There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user
supplied text was not being properly handled when added to the DOM. The vulnerability was resolved after reviewing the
pull request when merging changes. Users running a prior release should upgrade to 1.0.1 or 1.1.1.
</p>
</div>
</div>
</main>
<footer>
<div class="uk-container">
<div class="uk-flex uk-grid uk-grid-large">
<div class="uk-width-1-2@m">
<p>
<a class="uk-link-reset" href="/">
<img src="/images/apache-nifi-logo.svg" class="footer-logo" alt="Apache NiFi Logo"/>
</a>
<a class="uk-link-reset" href="https://apache.org">
<img src="/images/apache-logo.svg" class="footer-logo uk-margin-left" alt="Apache Software Foundation Logo"/>
</a>
</p>
<p>
Copyright &copy; 2024 The Apache Software Foundation under the terms of the
<a href="https://www.apache.org/licenses/LICENSE-2.0.html">Apache License, Version 2.0</a>
</p>
<p>
Apache NiFi, NiFi, and the NiFi logo are trademarks of
<a href="https://apache.org/">The Apache Software Foundation</a>
</p>
</div>
<div class="uk-width-1-4@m">
<h3><a href="/">Project</a></h3>
<ul>
<li><a href="https://issues.apache.org/jira/browse/NIFI">Issues</a></li>
<li><a href="https://github.com/apache/nifi">Source</a></li>
<li><a href="https://www.linkedin.com/company/apache-nifi/">LinkedIn</a></li>
<li><a href="https://join.slack.com/t/apachenifi/shared_invite/zt-2ccusmst2-l2KrTzJLrGcHOO0V7~XD4g">Slack</a></li>
</ul>
</div>
<div class="uk-width-1-4@m">
<h3><a href="https://www.apache.org/">Apache</a></h3>
<ul>
<li><a href="https://www.apache.org/licenses/">License</a></li>
<li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="https://www.apache.org/security/">Security</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</div>
</div>
</div>
</footer>
<script src="/uikit/js/uikit.min.js"></script>
<script src="/uikit/js/uikit-icons.min.js"></script>
</body>
</html>