Lucene search
K

11 matches found

OSV
OSV
added 2018/12/20 10:2 p.m.16 views

GHSA-4QQ9-RRQ6-48FF Cross site scripting in org.apache.nifi:nifi

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a pri...

6.1CVSS6AI score0.02758EPSS
Exploits0References6
NVD
NVD
added 2018/12/19 2:29 p.m.29 views

CVE-2018-17194

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and...

7.5CVSS7.5AI score0.0297EPSS
Exploits0References1
Prion
Prion
added 2018/12/19 2:29 p.m.16 views

Design/Logic Flaw

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on...

4.3CVSS6.5AI score0.0268EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2018/12/19 2:29 p.m.34 views

CVE-2018-17195

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle MiTM attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access,...

7.5CVSS7.6AI score0.00713EPSS
Exploits0References1
Prion
Prion
added 2018/12/19 2:29 p.m.14 views

Cross site request forgery (csrf)

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle MiTM attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access,...

5.1CVSS7.5AI score0.00713EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2018/12/19 2:29 p.m.36 views

CVE-2018-17193

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a pri...

6.1CVSS6.1AI score0.02758EPSS
Exploits0References1
OSV
OSV
added 2018/12/19 2:29 p.m.24 views

CVE-2018-17192

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on...

6.5CVSS6.9AI score0.0268EPSS
Exploits0References1
Prion
Prion
added 2018/12/19 2:29 p.m.17 views

Cross site scripting

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a pri...

4.3CVSS5.9AI score0.02758EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2018/12/19 2:29 p.m.22 views

CVE-2018-17194

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and...

7.5CVSS6.8AI score0.0297EPSS
Exploits0References1
Cvelist
Cvelist
added 2018/12/19 2:0 p.m.35 views

CVE-2018-17193

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a pri...

6AI score0.02758EPSS
Exploits0References1
CVE
CVE
added 2018/12/19 2:0 p.m.97 views

CVE-2018-17195

Apache NiFi template upload API is vulnerable to CSRF due to missing CORS filtering on the template/upload endpoint. The issue allows cross-origin requests that can lead to unauthorized operations when combined with a MiTM/ARP-spoofing scenario. Affected versions include NiFi 1.0.0 through 1.7.1 ...

7.5CVSS7.5AI score0.00713EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder