VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 19, 2018· Updated Aug 5, 2024

CVE-2018-17192

CVE-2018-17192

Description

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache NiFi prior to 1.8.0 inconsistently applied X-Frame-Options headers, allowing clickjacking attacks; fixed in version 1.8.0.

Vulnerability

The X-Frame-Options HTTP response header was applied inconsistently across different web contexts in Apache NiFi [2]. Some responses contained duplicate headers while others omitted them entirely, causing certain browsers to misinterpret the header and potentially allow clickjacking. This issue affects all Apache NiFi 1.x releases prior to 1.8.0, with version 1.6.0 specifically identified as affected [3].

Exploitation

An attacker can create a malicious web page that embeds the Apache NiFi user interface in an iframe. By tricking an authenticated NiFi user into performing actions on the attacker-controlled page (e.g., clicking a disguised button), the attacker can hijack the user's clicks to trigger unintended operations in the NiFi UI. The inconsistent or missing X-Frame-Options headers fail to prevent the browser from rendering the NiFi content in a frame, enabling the clickjacking attack [2].

Impact

Successful clickjacking could allow an attacker to execute actions on the NiFi instance with the privileges of the targeted user [2]. Depending on the user's permissions, this might include modifying data flows, accessing sensitive data, or performing administrative operations. The attack requires user interaction (clicking) and cannot be executed blindly without an authenticated session.

Mitigation

Apache NiFi 1.8.0 includes a fix that ensures consistent application of security headers by changing addHeader to setHeader for the X-Frame-Options header [4]. Users running any prior 1.x release should upgrade to NiFi 1.8.0 or later. No workarounds are documented; upgrading is the recommended mitigation [2][3].

References
  1. NVD - CVE-2018-17192
  2. [NIFI-5258] Improve handling of response headers for consistent application
  3. NIFI-5258 - Changed addHeader to setHeader which stops X-Frame-Option… · apache/nifi@dbf2595

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.nifi:nifiMaven
>= 1.0.0, < 1.8.01.8.0

Affected products

2

Patches

1
dbf259508c2b

NIFI-5258 - Changed addHeader to setHeader which stops X-Frame-Options being added twice to responses. Added unit test.

https://github.com/apache/nifithenatogJun 13, 2018via ghsa
commit
3 files changed · +84 40
  • nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml+6 0 modified
    @@ -194,6 +194,12 @@
             <version>1.16.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+            <version>5.0.6.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
  • nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java+36 35 modified
    @@ -18,40 +18,6 @@
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileFilter;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.net.SocketException;
-import java.nio.file.Paths;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
-import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
-import java.util.stream.Collectors;
-import javax.servlet.DispatcherType;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.NiFiServer;
@@ -105,6 +71,41 @@
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
+import javax.servlet.DispatcherType;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.SocketException;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.stream.Collectors;
+
 /**
  * Encapsulates the Jetty instance.
  */
@@ -1033,7 +1034,7 @@ public void doFilter(final ServletRequest req, final ServletResponse resp, final
 
             // set frame options accordingly
             final HttpServletResponse response = (HttpServletResponse) resp;
-            response.addHeader(FRAME_OPTIONS, SAME_ORIGIN);
+            response.setHeader(FRAME_OPTIONS, SAME_ORIGIN);
 
             filterChain.doFilter(req, resp);
         }
  • nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/JettyServerTest.java+42 5 modified
    @@ -17,20 +17,32 @@
 
 package org.apache.nifi.web.server;
 
-import java.lang.reflect.InvocationTargetException;
-import java.util.HashMap;
-import java.util.Map;
-
 import org.apache.nifi.security.util.KeystoreType;
+import org.apache.nifi.util.NiFiProperties;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.apache.nifi.util.NiFiProperties;
 import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.util.HashMap;
+import java.util.Map;
 
+import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 public class JettyServerTest {
     @Test
@@ -142,4 +154,29 @@ public void testConfigureSslContextFactoryWithPkcsTrustStore() {
         verify(contextFactory).setTrustStoreType(trustStoreType);
         verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
     }
+
+    @Test
+    public void testNoDuplicateXFrameOptions() throws NoSuchFieldException, IllegalAccessException, ServletException, IOException {
+        Field xOptionsFilter = JettyServer.class.getDeclaredField("FRAME_OPTIONS_FILTER");
+        xOptionsFilter.setAccessible(true);
+        Filter filter = (Filter) xOptionsFilter.get(xOptionsFilter);
+
+        HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
+        Mockito.when(mockRequest.getRequestURI()).thenReturn("/");
+
+        MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+        FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
+        ServletContext mockContext = Mockito.mock(ServletContext.class);
+        FilterConfig mockFilterConfig = Mockito.mock(FilterConfig.class);
+
+        when(mockFilterConfig.getServletContext()).thenReturn(mockContext);
+
+        filter.init(mockFilterConfig);
+
+        // Call doFilter twice, then check the header only appears once.
+        filter.doFilter(mockRequest, mockResponse, mockFilterChain);
+        filter.doFilter(mockRequest, mockResponse, mockFilterChain);
+
+        assertEquals(1, mockResponse.getHeaders("X-Frame-Options").size());
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.