CVSS: 9.0EPSS: 75%CPEs: 1EXPL: 5CVE-2023-34468 – Apache NiFi: Potential Code Injection with Database Services using H2
https://notcve.org/view.php?id=CVE-2023-34468
12 Jun 2023 — The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://packetstorm.news/files/id/174398 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
10 Feb 2023 — The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2022-33140 – Improper Neutralization of Command Elements in Shell User Group Provider
https://notcve.org/view.php?id=CVE-2022-33140
15 Jun 2022 — The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with el... • https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
30 Apr 2022 — Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML d... • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26850 – Insufficiently protected credentials
https://notcve.org/view.php?id=CVE-2022-26850
06 Apr 2022 — When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing ... • http://www.openwall.com/lists/oss-security/2022/04/06/2 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44145 – Apache NiFi information disclosure by XXE
https://notcve.org/view.php?id=CVE-2021-44145
17 Dec 2021 — In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. En el procesador TransformXML de Apache NiFi versiones anteriores a 1.15.1, un usuario autenticado podía configurar un archivo XSLT que, si incluía llamadas a entidades externas maliciosas, podía revelar información confidencial • http://www.openwall.com/lists/oss-security/2021/12/17/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 0CVE-2021-33191 – MiNiFi CPP arbitrary script execution is possible on the agent's host machine through the c2 protocol
https://notcve.org/view.php?id=CVE-2021-33191
24 Aug 2021 — From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0 Apache NiFi MiNiFi C++ versión 0.5.0, el protocolo c2 implementa un comando "agent-update" que fue diseñado ... • http://www.openwall.com/lists/oss-security/2021/08/24/1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 22%CPEs: 23EXPL: 4CVE-2020-27223 – jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
https://notcve.org/view.php?id=CVE-2020-27223
26 Feb 2021 — In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. En Eclipse Jetty versiones 9.4.6.v20170531 hasta 9.4.36.v20210114 (inclusive), versiones 10.0.0 y 11.0.0, cuando Jetty maneja... • https://github.com/motikan2010/CVE-2020-27223 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •
CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-20190 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
https://notcve.org/view.php?id=CVE-2021-20190
19 Jan 2021 — A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en jackson-databind versiones anteriores a 2.9.10.7. FasterXML maneja inapropiadamente la interacción entre los gadgets de serialización y escritura. • https://bugzilla.redhat.com/show_bug.cgi?id=1916633 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-9491
https://notcve.org/view.php?id=CVE-2020-9491
01 Oct 2020 — In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. En Apache NiFi versiones 1.2.0 hasta 1.11.4, la Interfaz de Usuario y la API de NiFi estaban protegidas al exigir TLS versión v1.2, así como las conexiones de escucha estab... • https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •