Lucene search

K
ApacheNifi

14 matches found

CVE
CVE
added 2019/08/20 9:15 p.m.821 views

CVE-2019-10086

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

7.5CVSS7.3AI score0.00317EPSS
CVE
CVE
added 2022/04/30 8:15 a.m.88 views

CVE-2022-29265

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML Ex...

7.5CVSS7.5AI score0.01171EPSS
CVE
CVE
added 2020/02/11 9:15 p.m.84 views

CVE-2020-1942

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed...

7.5CVSS7.3AI score0.00165EPSS
CVE
CVE
added 2018/12/19 2:29 p.m.76 views

CVE-2018-17195

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, ...

7.5CVSS7.5AI score0.00202EPSS
CVE
CVE
added 2018/12/19 2:29 p.m.73 views

CVE-2018-17194

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eve...

7.5CVSS7.4AI score0.01215EPSS
CVE
CVE
added 2018/05/23 2:29 p.m.70 views

CVE-2018-1310

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. U...

7.5CVSS8.2AI score0.77148EPSS
CVE
CVE
added 2020/10/01 8:15 p.m.69 views

CVE-2020-9491

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queue...

7.5CVSS7.5AI score0.02825EPSS
CVE
CVE
added 2020/10/01 8:15 p.m.66 views

CVE-2020-9486

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

7.5CVSS7.4AI score0.0058EPSS
CVE
CVE
added 2018/01/23 10:29 p.m.62 views

CVE-2017-12632

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate re...

7.5CVSS7.4AI score0.00414EPSS
CVE
CVE
added 2020/10/01 8:15 p.m.61 views

CVE-2020-9487

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens,...

7.5CVSS7.5AI score0.00638EPSS
CVE
CVE
added 2017/06/12 4:29 p.m.57 views

CVE-2017-7667

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

7.5CVSS7.4AI score0.00397EPSS
CVE
CVE
added 2023/02/10 8:15 a.m.57 views

CVE-2023-22832

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity r...

7.5CVSS7.4AI score0.0013EPSS
CVE
CVE
added 2023/11/27 11:15 p.m.53 views

CVE-2023-49145

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then ...

7.9CVSS6AI score0.00218EPSS
CVE
CVE
added 2017/10/19 8:29 p.m.52 views

CVE-2017-5635

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

7.5CVSS7.4AI score0.01131EPSS