Bitnami package
nifi
pkg:bitnami/nifi
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39816 | Hig | 8.8 | >= 2.0.0, < 2.9.0 | 2.9.0 | May 8, 2026 | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, e | |
| CVE-2026-25903 | — | >= 1.1.0, < 2.8.0 | 2.8.0 | Feb 17, 2026 | Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annot | ||
| CVE-2025-66524 | — | >= 1.20.0, < 2.7.0 | 2.7.0 | Dec 19, 2025 | Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserial | ||
| CVE-2024-56512 | — | >= 1.10.0, < 2.1.0 | 2.1.0 | Dec 28, 2024 | Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, | ||
| CVE-2024-45477 | — | >= 1.10.0, < 1.28.0 | 1.28.0 | Oct 29, 2024 | Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary Java | ||
| CVE-2023-49145 | — | >= 0.7.0, < 1.24.0 | 1.24.0 | Nov 27, 2023 | Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a | ||
| CVE-2023-40037 | — | >= 1.21.0, < 1.23.1 | 1.23.1 | Aug 18, 2023 | Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL valid | ||
| CVE-2023-36542 | — | >= 0.0.2, <= 1.22.0 | — | Jul 29, 2023 | Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Requi | ||
| CVE-2023-34212 | — | >= 1.8.0, <= 1.21.0 | — | Jun 12, 2023 | The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from | ||
| CVE-2023-34468 | — | >= 0.0.2, < 1.22.0 | 1.22.0 | Jun 12, 2023 | The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and r | ||
| CVE-2023-22832 | — | >= 1.2.0, <= 1.19.1 | — | Feb 10, 2023 | The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with X | ||
| CVE-2022-33140 | — | >= 1.10.0, <= 1.16.2 | — | Jun 15, 2022 | The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is no | ||
| CVE-2022-29265 | — | >= 0.0.1, <= 1.16.0 | — | Apr 30, 2022 | Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attemp | ||
| CVE-2022-26850 | — | >= 1.14.0, < 1.16.0 | 1.16.0 | Apr 6, 2022 | When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediat | ||
| CVE-2021-44145 | — | >= 0.1.0, < 1.15.1 | 1.15.1 | Dec 17, 2021 | In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. | ||
| CVE-2020-27223 | — | >= 1.13.0, <= 1.13.0 | — | Feb 26, 2021 | In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr | ||
| CVE-2021-20190 | — | >= 1.7.0, <= 1.12.1 | — | Jan 19, 2021 | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||
| CVE-2020-9491 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and | ||
| CVE-2020-13940 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic | ||
| CVE-2020-9487 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque |
- affected >= 2.0.0, < 2.9.0fixed 2.9.0
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, e
- CVE-2026-25903Feb 17, 2026affected >= 1.1.0, < 2.8.0fixed 2.8.0
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annot
- CVE-2025-66524Dec 19, 2025affected >= 1.20.0, < 2.7.0fixed 2.7.0
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserial
- CVE-2024-56512Dec 28, 2024affected >= 1.10.0, < 2.1.0fixed 2.1.0
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context,
- CVE-2024-45477Oct 29, 2024affected >= 1.10.0, < 1.28.0fixed 1.28.0
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary Java
- CVE-2023-49145Nov 27, 2023affected >= 0.7.0, < 1.24.0fixed 1.24.0
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a
- CVE-2023-40037Aug 18, 2023affected >= 1.21.0, < 1.23.1fixed 1.23.1
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL valid
- CVE-2023-36542Jul 29, 2023affected >= 0.0.2, <= 1.22.0
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Requi
- CVE-2023-34212Jun 12, 2023affected >= 1.8.0, <= 1.21.0
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from
- CVE-2023-34468Jun 12, 2023affected >= 0.0.2, < 1.22.0fixed 1.22.0
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and r
- CVE-2023-22832Feb 10, 2023affected >= 1.2.0, <= 1.19.1
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with X
- CVE-2022-33140Jun 15, 2022affected >= 1.10.0, <= 1.16.2
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is no
- CVE-2022-29265Apr 30, 2022affected >= 0.0.1, <= 1.16.0
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attemp
- CVE-2022-26850Apr 6, 2022affected >= 1.14.0, < 1.16.0fixed 1.16.0
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediat
- CVE-2021-44145Dec 17, 2021affected >= 0.1.0, < 1.15.1fixed 1.15.1
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
- CVE-2020-27223Feb 26, 2021affected >= 1.13.0, <= 1.13.0
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr
- CVE-2021-20190Jan 19, 2021affected >= 1.7.0, <= 1.12.1
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- CVE-2020-9491Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and
- CVE-2020-13940Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic
- CVE-2020-9487Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque
Page 1 of 2