CVE-2018-17195
Description
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi template upload endpoint lacked CORS validation, enabling CSRF via ARP spoofing/MiTM on same subnet with client certs, fixed in 1.8.0.
Vulnerability
The template upload API endpoint in Apache NiFi prior to version 1.8.0 accepted requests from different domains when combined with ARP spoofing and a man-in-the-middle (MiTM) attack, resulting in a Cross-Site Request Forgery (CSRF) vulnerability [1][2]. The affected endpoint is /process-groups/*/templates/upload [4]. Versions 1.x before 1.8.0 are affected [1][2].
Exploitation
An attacker requires a complex scenario: the victim must be on the same subnet as the attacker, uses client certificate authentication, and visits an unprotected (plaintext HTTP) website where the attacker has injected malicious code [1][2]. The attacker performs ARP spoofing to intercept traffic, then leverages the injected code to send a cross-origin request to the NiFi template upload endpoint, exploiting the missing Cross-Origin Resource Sharing (CORS) policy [2].
Impact
Successful exploitation allows an attacker to upload a malicious template to the NiFi instance, potentially leading to arbitrary code execution, data modification, or further compromise of the NiFi environment [1][2]. The severity is assessed as Severe by Apache [1][2].
Mitigation
The fix adds CORS filtering to the template upload endpoint by restricting allowed HTTP methods to HEAD and GET and registering a CORS configuration source [4]. This fix is included in Apache NiFi 1.8.0, released on October 29, 2018 [1][2]. Users running a prior 1.x release should upgrade to version 1.8.0 or later [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | >= 1.0.0, < 1.8.0 | 1.8.0 |
Affected products
2- Apache Software Foundation/Apache NiFiv5Range: Apache NiFi 1.0.0 - 1.7.1
Patches
1246c09052614NIFI-5595 - Added the CORS filter to the templates/upload endpoint using a URL matcher.
1 file changed · +16 −0
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java+16 −0 modified@@ -43,6 +43,11 @@ import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +import java.util.Arrays; /** * NiFi Web Api Spring security @@ -89,6 +94,7 @@ public void configure(WebSecurity webSecurity) throws Exception { @Override protected void configure(HttpSecurity http) throws Exception { http + .cors().and() .rememberMe().disable() .authorizeRequests() .anyRequest().fullyAuthenticated() @@ -112,6 +118,16 @@ protected void configure(HttpSecurity http) throws Exception { http.anonymous().authenticationFilter(anonymousFilterBean()); } + + @Bean + CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedMethods(Arrays.asList("HEAD", "GET")); + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/process-groups/*/templates/upload", configuration); + return source; + } + @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3jq8-jg75-rqv6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17195ghsaADVISORY
- github.com/apache/nifi/commit/246c090526143943557b15868db6e8fe3fb30cf6ghsaWEB
- issues.apache.org/jira/browse/NIFI-5595ghsaWEB
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.