50 matches found
CVE-2024-56512
CVE-2024-56512 (Apache NiFi) affects NiFi 1.10.0–2.0.0, where creating a new Process Group omits fine‑grained authorization checks for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers. As a result, authenticated users with permission to create Process Groups ...
CVE-2019-10086
CVE-2019-10086 affects Apache Commons BeanUtils 1.9.2, where a BeanIntrospector addition could suppress access to the classloader via the class property on Java objects. The issue stems from not applying the suppression by default in PropertyUtilsBean, enabling potential risk across affected depl...
CVE-2020-27223
CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...
CVE-2024-37389
The CVE-2024-37389 entry affects Apache NiFi versions 1.10.0–1.26.0 and 2.0.0-M1–2.0.0-M3, where the Parameter Context description field is vulnerable to cross-site scripting. An authenticated user with Parameter Context configuration rights can input arbitrary JavaScript code that the browser ex...
CVE-2021-20190
CVE-2021-20190 is a Jackson Databind deserialization vulnerability involving the interaction between serialization gadgets and typing, present in Jackson Databind up to 2.9.10.7. The IBM bulletin for Cloudera Observability confirms this CVE as part of a collection and notes a fix in Cloudera Obse...
CVE-2023-40037
CVE-2023-40037 affects Apache NiFi versions 1.21.0 through 1.23.0, where JDBC/JNDI JMS access in several Processors and Controller Services uses connection URL validation that is insufficient against crafted inputs. An authenticated, authorized user can bypass validation by formatting inputs clev...
CVE-2023-34468
CVE-2023-34468 affects Apache NiFi controllers: DBCPConnectionPool and HikariCPConnectionPool. Versions 0.0.2 through 1.21.0 allow an authenticated/authorized user to configure a Database URL using the H2 driver that enables custom code execution. The issue is mitigated by upgrading to NiFi 1.22....
CVE-2020-1928
The CVE-2020-1928 entry affects Apache NiFi 1.10.0. The vulnerability is an information disclosure where the sensitive parameter parser logs parsed values for debugging, exposing literal values entered in a sensitive property when no parameter is present. This is described across multiple sources...
CVE-2022-26850
CVE-2022-26850 affects Apache NiFi (pre-1.16) where during creation/update of single-user credentials a copy of the Login Identity Providers configuration was written to the OS temporary directory, which often has global read permissions. The temporary file was moved to the final configuration di...
CVE-2019-10080
Summary (CVE-2019-10080) : In Apache NiFi, the XMLFileLookupService vulnerability affects NiFi versions 1.3.0–1.9.2, where trusted users could configure a malicious XML file that can perform external calls via XXE and disclose information about the NiFi environment (e.g., Java, Jersey, and Apache...
CVE-2020-1933
CVE-2020-1933 describes a cross-site scripting (XSS) vulnerability in Apache NiFi, affecting versions 1.0.0 through 1.10.0. According to the provided documents, the issue allows an authenticated user to inject malicious scripts into the UI via actions performed in Firefox; other browsers do not a...
CVE-2019-10083
This CVE (CVE-2019-10083) affects Apache NiFi 1.3.0–1.9.2. The API path for updating a Process Group returns the top-level contents of the group, including details about processors and controller services that the user may not have read access to. This constitutes an information-disclosure flaw i...
CVE-2023-36542
Summary of CVE-2023-36542 (Apache NiFi) : NiFi versions 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which can enable a privileged user to configure a location that allows custom code execution. The root cause involves re...
CVE-2019-12421
CVE-2019-12421 affects Apache NiFi; in NiFi versions 1.0.0–1.9.2, when using an authentication mechanism other than PKI, logging out invalidates the client-side token but not the server-side token. This allows the user’s client-side token to be used for up to 12 hours after logout to make API req...
CVE-2022-29265
CVE-2022-29265 (NiFi) affects Apache NiFi 0.0.1–1.16.0, where multiple components do not restrict XML External Entity (XXE) references in the default configuration. The vulnerable processors—EvaluateXPath, EvaluateXQuery, and ValidateXml—can resolve XML entities when default properties are used, ...
CVE-2020-1942
CVE-2020-1942 affects Apache NiFi versions 0.0.1 through 1.11.0. The root cause involves the flow fingerprint factory generating flow fingerprints that include sensitive property descriptor values, which can be exposed when a node joins a cluster and the cluster flow is not inheritable; the finge...
CVE-2022-33140
The Red Hat, CIRCL, OSV, and other connected feeds confirm CVE-2022-33140 affects Apache NiFi (1.10.0–1.16.2) and Apache NiFi Registry (0.6.0–1.16.2). The root cause is that the optional ShellUserGroupProvider does not neutralize arguments for group resolution commands, allowing command injection...
CVE-2025-27017
CVE-2025-27017 affects Apache NiFi releases 1.13.0 through 2.2.0, where the MongoDB authentication credentials (username/password) used by MongoDB components can be included in provenance event records. An authorized user with read access to these provenance events may view the credentials, expos...
CVE-2018-17193
The CVE-2018-17193 issue affects Apache NiFi where the message-page.jsp error page used the HTTP header X-ProxyContextPath without sanitization, enabling a reflected XSS attack. The root cause is unsanitized usage of the request attribute value in that page. The vulnerability is addressed in NiFi...
CVE-2018-17195
Apache NiFi template upload API is vulnerable to CSRF due to missing CORS filtering on the template/upload endpoint. The issue allows cross-origin requests that can lead to unauthorized operations when combined with a MiTM/ARP-spoofing scenario. Affected versions include NiFi 1.0.0 through 1.7.1 ...
CVE-2018-1310
CVE-2018-1310 affects Apache NiFi via JMS deserialization tied to the ActiveMQ client vulnerability CVE-2015-5254. The issue arises from deserializing untrusted JMS content, enabling denial of service as noted in the associated ActiveMQ advisories. Mitigation in NiFi is to upgrade the activemq-cl...
CVE-2024-52067
CVE-2024-52067 affects Apache NiFi 1.16.0–1.28.0 and 2.0.0-M1–2.0.0-M4. The issue is optional debug logging of Parameter Context values during flow synchronization, which an authorized admin could enable to write parameter names and values to logs. Deployments with the default Logback config do n...
CVE-2018-17194
Apache NiFi vulnerability CVE-2018-17194 arises because, during replication of client requests across cluster nodes, the Content-Length value was forwarded. For DELETE requests, the body was ignored; however, if the initial request carried a non-zero Content-Length, receiving nodes would wait for...
CVE-2018-17192
CVE-2018-17192 affects Apache NiFi where the X-Frame-Options headers were inconsistently applied on HTTP responses, leading to duplicate or missing security headers and potential clickjacking. The issue is documented across multiple sources, with mitigations indicating that a fix was applied in N...
CVE-2021-44145
CVE-2021-44145 affects the Apache NiFi TransformXML processor (before 1.15.1). An authenticated user could configure an XSLT file that contains external entity calls, potentially revealing sensitive information due to an XXE. The issue is documented across multiple sources, with remediation advis...
CVE-2017-15703
Apache NiFi (1.x) is affected by CVE-2017-15703 where an authenticated user with a valid client certificate and without ACL permissions can upload a template containing malicious Java deserialization code, leading to a denial-of-service. The root cause is improper handling of Java deserialization...
CVE-2020-9486
CVE-2020-9486 affects Apache NiFi 1.10.0–1.11.4, where the stateless execution engine logs a flow definition configuration JSON during trigger, potentially revealing sensitive property values in plaintext. The vulnerability, described as information disclosure, is evidenced by multiple sources (N...
CVE-2020-9491
CVE-2020-9491 affects Apache NiFi ranges 1.2.0–1.11.4, where the UI/API enforce TLS v1.2 but intracluster communications (cluster request replication, Site-to-Site, load-balanced queues) allowed TLS v1.0/v1.1. The provided connected documents reiterate this scope, identifying the vulnerable compo...
CVE-2020-13940
In Apache NiFi, versions 1.0.0–1.11.4 expose a XXE-related risk in the notification service manager and certain policy authorizer and user group provider objects. The underlying issue allows an administrator-controlled XML file to trigger external calls to services, via XML External Entity proces...
CVE-2020-9487
CVE-2020-9487 affects Apache NiFi 1.0.0–1.11.4. The NiFi download token mechanism used a fixed cache size and did not authenticate a request to create a download token, only when the token was used to access content. This allowed an unauthenticated user to repeatedly request download tokens, caus...
CVE-2023-34212
Affected software: Apache NiFi (versions 1.8.0–1.21.0). Vulnerability: The JndiJmsConnectionFactoryProvider Controller Service, with ConsumeJMS and PublishJMS Processors, allows an authenticated/authorized user to configure URL and library properties that enable deserialization of untrusted data ...
CVE-2017-12623
CVE-2017-12623 concerns Apache NiFi where an authorized user could upload a template containing malicious code and trigger an XML External Entity (XXE) attack to access sensitive files. The root cause is improper handling of XML external entities within uploaded templates. The fixed behavior was ...
CVE-2017-12632
CVE-2017-12632 affects Apache NiFi and relates to a host header handling issue. A malicious Host header in an incoming HTTP request could cause NiFi to load resources from an external server. The vulnerability is mitigated by sanitizing host headers and comparing them against a controlled whiteli...
CVE-2017-5636
CVE-2017-5636 affects Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment. The issue is a vulnerability in the proxy chain serialization/deserialization that can be exploited by crafting a username to impersonate another user and gain their permissions on a replicated request t...
CVE-2017-7667
CVE-2017-7667 affects Apache NiFi versions prior to 0.7.4 and 1.x prior to 1.3.0. The issue is an Origin Validation/Framing problem where NiFi did not set a suitable X-Frame-Options header, leaving the application vulnerable to cross-frame framing attacks. Connected advisories (GHSA/JQ99, CNVD/CN...
CVE-2023-22832
CVE-2023-22832 affects Apache NiFi: ExtractCCDAAttributes Processor (versions 1.2.0–1.19.1). The issue is improper handling of XML External Entity (XXE) references via XML Document Type Declarations, enabling attacks from malicious XML documents. The documented impact is high confidentiality risk...
CVE-2017-15697
CVE-2017-15697 affects Apache NiFi and relates to handling of the X-ProxyContextPath and X-Forwarded-Context headers. The described vulnerability could enable remote code execution if a malicious header points to external resources or embedded code. The available documents indicate the fix was ap...
CVE-2023-49145
Apache NiFi
CVE-2016-8748
Affected software and component: Apache NiFi; vulnerable in the connection details dialog. Root cause: user-supplied text is not properly sanitized/handled before being added to the DOM, enabling cross-site scripting. Versions affected: NiFi before 1.0.1 and 1.1.x before 1.1.1. Impact (as stated)...
CVE-2018-1309
Apache NiFi SplitXML processor is affected by an XML External Entity (XXE) vulnerability. Malicious XML content can lead to information disclosure or remote code execution. The issue arises from handling external entities and DOCTYPE processing; mitigation implemented in NiFi 1.6.0 disables exter...
CVE-2017-5635
In Apache NiFi, versions before 0.7.2 and before 1.1.2 in a cluster environment are affected. When an anonymous user request is replicated to another node, the originating node identity is used instead of the anonymous user. Root cause: misattribution of the user identity across cluster replicati...
CVE-2017-7665
CVE-2017-7665 : In Apache NiFi, before 0.7.4 and 1.x before 1.3.0, certain UI input components did not sufficiently guard against some forms of XSS. This is a cross-site scripting vulnerability in the NiFi web UI due to insufficient input validation in UI components. Connected advisories (GHSA-M5...
CVE-2024-45477
Apache NiFi is affected by CVE-2024-45477 due to improper neutralization of input in the Parameter Context description field. The vulnerability exists in NiFi versions 1.10.0–1.27.0 and 2.0.0-M1–2.0.0-M3, where an authenticated user with permission to configure a Parameter Context can inject arbi...
CVE-2026-25903
Summary: CVE-2026-25903 affects Apache NiFi 1.1.0–2.7.2, where updating configuration properties on extension components with Restricted annotation permissions bypasses some authorization checks. This can allow a user with lower privileges to modify properties for components that require higher p...
CVE-2025-66524
The vulnerability concerns Apache NiFi GetAsanaObject Processor (NiFi 1.20.0–2.6.0) which uses unfiltered Java Object serialization/deserialization with a Distribute Map Cache Client Service for state. The root cause is unsafe deserialization of crafted state data stored in the configured cache s...
CVE-2026-39816
CVE-2026-39816 impacts Apache NiFi 2.0.0-M1 through 2.8.0 where the optional TinkerpopClientService (in the graph bundle, nifi-other-graph-services-nar) lacks the @Restricted annotation for Execute Code permission. This allows a flow designer with restricted privileges to configure ByteCode Submi...
CVE-2026-44914
Apache NiFi versions 1.12.0–2.9.0 are vulnerable to missing authorization when replacing Process Groups that include extension components with the Restricted annotation. The Restricted annotation signals higher privileges, but framework authorization did not enforce restricted status during repla...
CVE-2026-44913
CVE-2026-44913 concerns Apache NiFi’s CaptureChangeMySQL Processor. The vulnerability arises from improper escaping of database table names, enabling SQL injection through crafted naming in NiFi versions 1.2.0–2.9.0. The issue can be partially mitigated by prior hardening (e.g., manual quoted bou...
CVE-2026-44911
CVE-2026-44911 affects Apache NiFi 1.15.0–2.9.0 where authorization for component configuration verification requests is insufficient: users with read access can submit proposed configuration properties, potentially overriding current settings and invoking verification methods with altered parame...
CVE-2026-54665
Apache NiFi (versions 0.0.1–2.9.0) is affected by an input-validation flaw where URL redirection/data references can be influenced by non-standard host headers. NiFi 1.6.0 added a proxy-host header validation mechanism, but validation was not applied to alternative headers (X-ProxyHost, X-Forward...