Lucene search
K

9 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/22 7:38 a.m.9 views

CVE-2026-44914

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not...

7.5CVSS5.9AI score0.00393EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 7:36 a.m.8 views

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

5.2CVSS5.9AI score0.00385EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.10 views

CVE-2026-39816

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS5.7AI score0.0076EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/08 3:31 p.m.13 views

Apache NiFi is missing the Restricted annotation with the Execute Code Required Permission

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References7Affected Software1
OSV
OSV
added 2026/04/13 2:17 p.m.3 views

BIT-NIFI-2024-45477 Apache NiFi: Improper Neutralization of Input in Parameter Description

Apache NiFi 1.10.0 through 1.27.0 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will...

4.6CVSS5.6AI score0.00646EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/12/20 10:11 a.m.20 views

CVE-2025-66524

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

8.8CVSS6.6AI score0.00435EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2025/12/19 12:31 p.m.9 views

Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

8.8CVSS6.7AI score0.00435EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2018-0796

Malware in sbrugna...

7.5CVSS7.6AI score0.0297EPSS
Exploits0References7
OSV
OSV
added 2025/09/12 11:47 a.m.3 views

BIT-NIFI-2023-49145 Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, the...

7.9CVSS6.1AI score0.01212EPSS
Exploits0References4
Rows per page
Query Builder