Bitnami package
nifi
pkg:bitnami/nifi
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-20190 | — | >= 1.7.0, <= 1.12.1 | — | Jan 19, 2021 | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||
| CVE-2020-9491 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and | ||
| CVE-2020-13940 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic | ||
| CVE-2020-9487 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque | ||
| CVE-2020-9486 | — | >= 1.0.0, <= 1.11.4 | — | Oct 1, 2020 | In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. | ||
| CVE-2020-1942 | — | >= 0.0.1, <= 1.11.0 | — | Feb 11, 2020 | In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and loc | ||
| CVE-2020-1933 | — | >= 1.0.0, <= 1.10.0 | — | Jan 28, 2020 | A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. | ||
| CVE-2020-1928 | — | >= 1.10.0, <= 1.10.0 | — | Jan 28, 2020 | An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. |
- CVE-2021-20190Jan 19, 2021affected >= 1.7.0, <= 1.12.1
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- CVE-2020-9491Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and
- CVE-2020-13940Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic
- CVE-2020-9487Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque
- CVE-2020-9486Oct 1, 2020affected >= 1.0.0, <= 1.11.4
In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
- CVE-2020-1942Feb 11, 2020affected >= 0.0.1, <= 1.11.0
In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and loc
- CVE-2020-1933Jan 28, 2020affected >= 1.0.0, <= 1.10.0
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
- CVE-2020-1928Jan 28, 2020affected >= 1.10.0, <= 1.10.0
An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
Page 2 of 2