CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-1310
https://notcve.org/view.php?id=CVE-2018-1310
23 May 2018 — Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15703
https://notcve.org/view.php?id=CVE-2017-15703
25 Jan 2018 — Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cualquier usuario autenticado (certificado de cliente válido pero sin permisos de listas de control de acceso) podía cargar una plantilla que co... • https://nifi.apache.org/security.html#CVE-2017-15703 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15697
https://notcve.org/view.php?id=CVE-2017-15697
23 Jan 2018 — A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera X-ProxyContextPath o X-Forwarded-Context maliciosa que contenga recursos externos o código embebido puede provocar la ejecución remota de código. La solución para gestionar apropiadamente esta... • https://nifi.apache.org/security.html#CVE-2017-15697 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12632
https://notcve.org/view.php?id=CVE-2017-12632
23 Jan 2018 — A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera de host manipulada en una petición HTTP entrante podría provocar que NiFi cargue recursos de un servidor externo. La solución para sanear cabeceras de host y compararlas con una lista blanca co... • https://nifi.apache.org/security.html#CVE-2017-12632 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2017-5635
https://notcve.org/view.php?id=CVE-2017-5635
19 Oct 2017 — In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. En Apache NiFi, en versiones anteriores a la 0.7.2 y versiones 1.x, anteriores a la 1.1.2, en un entorno de clúster, si se copia la petición de un usuario anónimo a otro nodo, se utiliza la identidad del nodo que la originó en lugar de la del usuario "anónimo". • http://www.securityfocus.com/bid/96730 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2017-5636
https://notcve.org/view.php?id=CVE-2017-5636
19 Oct 2017 — In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. En Apache NiFi, en versiones anteriores a la 0.7.2 y versiones 1.x, anteriores a la 1.1.2, en un entorno de clúster, la serialización o deserialización de la cadena proxy es vulnerable a un ataque de inyección en el que ... • http://www.securityfocus.com/bid/96731 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-12623
https://notcve.org/view.php?id=CVE-2017-12623
10 Oct 2017 — An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Un usuario autorizado podría subir una plantilla que contenga código malicioso y que acceda a archivos sensibles mediante un ataque XEE (XML External Entity). La solución para manejar entidades ex... • https://nifi.apache.org/security.html#CVE-2017-12623 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 1%CPEs: 7EXPL: 0CVE-2017-7665
https://notcve.org/view.php?id=CVE-2017-7665
12 Jun 2017 — In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. En Apache NiFi anterior a versión 0.7.4 y versión 1.x anterior a 1.3.0, se presentan ciertos componentes de entrada de usuario en la interfaz de usuario (UI) que habían estado protegiendo algunas formas de XSS reflejado pero fueron insuficientes. • http://www.securityfocus.com/bid/99009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-7667
https://notcve.org/view.php?id=CVE-2017-7667
12 Jun 2017 — Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. Apache NiFi anterior a versión 0.7.4 y versión 1.x anterior a 1.3.0, necesita establecer el encabezado de respuesta indicando a los navegadores que solo permitan integrarlo con el mismo origen. • http://www.securityfocus.com/bid/99018 • CWE-346: Origin Validation Error •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2016-8748 – Apache NiFi 1.0.0 / 1.1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-8748
17 Jan 2017 — In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. En Apache NiFi, en versiones anteriores a la 1.0.1 y versiones 1.1.x anteriores a la 1.1.1, hay una vulnerabilidad de Cross-Site Scripting (XSS) en el diálogo de detalles de conexión cuando accede un usuario autorizado. El texto proporcionado por el usuario no se gestion... • http://www.securityfocus.com/bid/95621 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •