High severity7.5NVD Advisory· Published Oct 19, 2017· Updated May 13, 2026

CVE-2017-5635

Description

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.nifi:nifiMaven	< 0.7.2	0.7.2
org.apache.nifi:nifiMaven	>= 1.0.0, < 1.1.2	1.1.2

Affected products

Apache/Nifi4 versions
cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*
Apache Software Foundation/Apache NiFiv5
Range: 0.7.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/96730nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-jgj9-6v78-6g8mghsaADVISORY
nifi.apache.org/security.htmlnvdIssue TrackingMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-5635ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000