Lucene search

K

Nifi Security Vulnerabilities

cve
cve

CVE-2023-49145

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then....

7.9CVSS

5.1AI Score

0.001EPSS

2023-11-27 11:15 PM
23
cve
cve

CVE-2023-41180

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default,...

5.9CVSS

5.6AI Score

0.0004EPSS

2023-09-03 04:15 PM
23
cve
cve

CVE-2023-40037

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom....

6.5CVSS

6.3AI Score

0.001EPSS

2023-08-18 10:15 PM
33
cve
cve

CVE-2023-36542

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for....

8.8CVSS

8.7AI Score

0.003EPSS

2023-07-29 08:15 AM
33
cve
cve

CVE-2023-34212

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.....

6.5CVSS

6.4AI Score

0.001EPSS

2023-06-12 04:15 PM
21
cve
cve

CVE-2023-34468

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...

8.8CVSS

8.5AI Score

0.901EPSS

2023-06-12 04:15 PM
44
cve
cve

CVE-2023-22832

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity.....

7.5CVSS

7.4AI Score

0.001EPSS

2023-02-10 08:15 AM
31
cve
cve

CVE-2022-33140

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the.....

8.8CVSS

8.8AI Score

0.002EPSS

2022-06-15 03:15 PM
63
2
cve
cve

CVE-2022-29265

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML...

7.5CVSS

7.5AI Score

0.001EPSS

2022-04-30 08:15 AM
70
cve
cve

CVE-2022-26850

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the...

4.3CVSS

4.5AI Score

0.0005EPSS

2022-04-06 06:15 PM
77
cve
cve

CVE-2021-44145

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive...

6.5CVSS

6.3AI Score

0.0005EPSS

2021-12-17 09:15 AM
46
cve
cve

CVE-2021-33191

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command...

9.8CVSS

9.3AI Score

0.02EPSS

2021-08-24 12:15 PM
20
cve
cve

CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those...

5.3CVSS

5.2AI Score

0.028EPSS

2021-02-26 10:15 PM
216
33
cve
cve

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...

8.1CVSS

7.6AI Score

0.004EPSS

2021-01-19 05:15 PM
199
13
cve
cve

CVE-2020-9487

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download...

7.5CVSS

7.5AI Score

0.001EPSS

2020-10-01 08:15 PM
41
cve
cve

CVE-2020-9486

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in...

7.5CVSS

7.4AI Score

0.001EPSS

2020-10-01 08:15 PM
41
cve
cve

CVE-2020-9491

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced...

7.5CVSS

7.5AI Score

0.002EPSS

2020-10-01 08:15 PM
49
cve
cve

CVE-2020-13940

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via...

5.5CVSS

5.4AI Score

0.0004EPSS

2020-10-01 08:15 PM
46
cve
cve

CVE-2020-9482

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out....

6.5CVSS

6.5AI Score

0.001EPSS

2020-04-28 07:15 PM
58
cve
cve

CVE-2020-1942

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was...

7.5CVSS

7.3AI Score

0.001EPSS

2020-02-11 09:15 PM
65
cve
cve

CVE-2020-1928

An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was...

5.3CVSS

5AI Score

0.002EPSS

2020-01-28 01:15 AM
95
cve
cve

CVE-2020-1933

A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other...

6.1CVSS

5.8AI Score

0.002EPSS

2020-01-28 01:15 AM
85
cve
cve

CVE-2019-12421

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to....

8.8CVSS

8.7AI Score

0.001EPSS

2019-11-19 10:15 PM
70
cve
cve

CVE-2019-10080

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the...

6.5CVSS

6.3AI Score

0.001EPSS

2019-11-19 10:15 PM
85
cve
cve

CVE-2019-10083

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access...

5.3CVSS

5AI Score

0.001EPSS

2019-11-19 10:15 PM
76
cve
cve

CVE-2019-10086

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the...

7.3CVSS

7.3AI Score

0.003EPSS

2019-08-20 09:15 PM
563
6
cve
cve

CVE-2018-17192

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on.....

6.5CVSS

6.4AI Score

0.003EPSS

2018-12-19 02:29 PM
50
cve
cve

CVE-2018-17195

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access,....

7.5CVSS

7.5AI Score

0.0004EPSS

2018-12-19 02:29 PM
55
cve
cve

CVE-2018-17193

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a...

6.1CVSS

6AI Score

0.002EPSS

2018-12-19 02:29 PM
46
cve
cve

CVE-2018-17194

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and...

7.5CVSS

7.4AI Score

0.001EPSS

2018-12-19 02:29 PM
49
cve
cve

CVE-2018-1309

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior...

9.8CVSS

9.4AI Score

0.004EPSS

2018-05-23 02:29 PM
36
cve
cve

CVE-2018-1310

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release......

7.5CVSS

8.2AI Score

0.039EPSS

2018-05-23 02:29 PM
46
cve
cve

CVE-2017-15703

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users...

5CVSS

5.2AI Score

0.001EPSS

2018-01-25 09:29 PM
52
cve
cve

CVE-2017-12632

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate...

7.5CVSS

7.4AI Score

0.002EPSS

2018-01-23 10:29 PM
40
cve
cve

CVE-2017-15697

A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate.....

9.8CVSS

9.7AI Score

0.009EPSS

2018-01-23 10:29 PM
39
cve
cve

CVE-2017-5636

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another...

9.8CVSS

9.5AI Score

0.001EPSS

2017-10-19 08:29 PM
38
cve
cve

CVE-2017-5635

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous"...

7.5CVSS

7.4AI Score

0.001EPSS

2017-10-19 08:29 PM
33
cve
cve

CVE-2016-8748

In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the...

5.4CVSS

5.2AI Score

0.001EPSS

2017-10-19 08:29 PM
33
cve
cve

CVE-2017-12623

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the...

6.5CVSS

6.5AI Score

0.0005EPSS

2017-10-10 06:29 PM
36
cve
cve

CVE-2017-7667

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same...

7.5CVSS

7.4AI Score

0.001EPSS

2017-06-12 04:29 PM
42
cve
cve

CVE-2017-7665

In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were...

6.1CVSS

6AI Score

0.001EPSS

2017-06-12 04:29 PM
34