Maven package
org.apache.nifi/nifi
pkg:maven/org.apache.nifi/nifi
Vulnerabilities (21)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-33140 | — | >= 1.10.0, < 1.16.3 | 1.16.3 | Jun 15, 2022 | The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is no | ||
| CVE-2022-29265 | — | >= 0.0.1, < 1.16.1 | 1.16.1 | Apr 30, 2022 | Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attemp | ||
| CVE-2021-44145 | — | < 1.15.1 | 1.15.1 | Dec 17, 2021 | In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. | ||
| CVE-2020-9491 | — | >= 1.2.0, < 1.12.0-RC1 | 1.12.0-RC1 | Oct 1, 2020 | In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and | ||
| CVE-2020-13940 | — | >= 1.0.0, < 1.12.0-RC1 | 1.12.0-RC1 | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic | ||
| CVE-2020-9487 | — | >= 1.0.0, < 1.12.0-RC1 | 1.12.0-RC1 | Oct 1, 2020 | In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque | ||
| CVE-2020-1933 | — | >= 1.0.0, < 1.11.0 | 1.11.0 | Jan 28, 2020 | A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. | ||
| CVE-2019-10083 | — | >= 1.3.0, < 1.10.0 | 1.10.0 | Nov 19, 2019 | When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had rea | ||
| CVE-2019-10080 | — | >= 1.3.0, < 1.10.0 | 1.10.0 | Nov 19, 2019 | The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and A | ||
| CVE-2018-17195 | — | >= 1.0.0, < 1.8.0 | 1.8.0 | Dec 19, 2018 | The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, s | ||
| CVE-2018-17193 | — | >= 1.0.0, < 1.8.0 | 1.8.0 | Dec 19, 2018 | The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Us | ||
| CVE-2018-17192 | — | >= 1.0.0, < 1.8.0 | 1.8.0 | Dec 19, 2018 | The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security heade | ||
| CVE-2018-1310 | — | < 1.6.0 | 1.6.0 | May 23, 2018 | Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache Ni | ||
| CVE-2017-15697 | — | >= 1.0.0, < 1.5.0 | 1.5.0 | Jan 23, 2018 | A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade t | ||
| CVE-2017-12632 | — | >= 1.0.0, < 1.5.0 | 1.5.0 | Jan 23, 2018 | A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to | ||
| CVE-2017-5636 | Cri | 9.8 | < 0.7.2 | 0.7.2 | Oct 19, 2017 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to an | |
| CVE-2017-5635 | Hig | 7.5 | < 0.7.2 | 0.7.2 | Oct 19, 2017 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. | |
| CVE-2016-8748 | Med | 5.4 | < 1.0.1 | 1.0.1 | Oct 19, 2017 | In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. | |
| CVE-2017-12623 | Med | 6.5 | >= 1.0.0, < 1.4.0 | 1.4.0 | Oct 10, 2017 | An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should | |
| CVE-2017-7667 | Hig | 7.5 | < 0.7.4 | 0.7.4 | Jun 12, 2017 | Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. |
- CVE-2022-33140Jun 15, 2022affected >= 1.10.0, < 1.16.3fixed 1.16.3
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is no
- CVE-2022-29265Apr 30, 2022affected >= 0.0.1, < 1.16.1fixed 1.16.1
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attemp
- CVE-2021-44145Dec 17, 2021affected < 1.15.1fixed 1.15.1
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
- CVE-2020-9491Oct 1, 2020affected >= 1.2.0, < 1.12.0-RC1fixed 1.12.0-RC1
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and
- CVE-2020-13940Oct 1, 2020affected >= 1.0.0, < 1.12.0-RC1fixed 1.12.0-RC1
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to servic
- CVE-2020-9487Oct 1, 2020affected >= 1.0.0, < 1.12.0-RC1fixed 1.12.0-RC1
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly reque
- CVE-2020-1933Jan 28, 2020affected >= 1.0.0, < 1.11.0fixed 1.11.0
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
- CVE-2019-10083Nov 19, 2019affected >= 1.3.0, < 1.10.0fixed 1.10.0
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had rea
- CVE-2019-10080Nov 19, 2019affected >= 1.3.0, < 1.10.0fixed 1.10.0
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and A
- CVE-2018-17195Dec 19, 2018affected >= 1.0.0, < 1.8.0fixed 1.8.0
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, s
- CVE-2018-17193Dec 19, 2018affected >= 1.0.0, < 1.8.0fixed 1.8.0
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Us
- CVE-2018-17192Dec 19, 2018affected >= 1.0.0, < 1.8.0fixed 1.8.0
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security heade
- CVE-2018-1310May 23, 2018affected < 1.6.0fixed 1.6.0
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache Ni
- CVE-2017-15697Jan 23, 2018affected >= 1.0.0, < 1.5.0fixed 1.5.0
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade t
- CVE-2017-12632Jan 23, 2018affected >= 1.0.0, < 1.5.0fixed 1.5.0
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to
- affected < 0.7.2fixed 0.7.2
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to an
- affected < 0.7.2fixed 0.7.2
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
- affected < 1.0.1fixed 1.0.1
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
- affected >= 1.0.0, < 1.4.0fixed 1.4.0
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should
- affected < 0.7.4fixed 0.7.4
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
Page 1 of 2