CVE-2018-17194
Description
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-framework-clusterMaven | >= 1.0.0, < 1.8.0 | 1.8.0 |
Affected products
2Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-43fp-vwwg-qgv6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17194ghsaADVISORY
- github.com/apache/nifi/commit/1baead6f525046a613fc4fe494a0d193776ea70fghsaWEB
- github.com/apache/nifi/commit/748cf745628dab20b7e71f12b5dcfe6ed0bbf134ghsaWEB
- issues.apache.org/jira/browse/NIFI-5628ghsaWEB
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.