CVE-2021-44145 – Apache NiFi information disclosure by XXE
https://notcve.org/view.php?id=CVE-2021-44145
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. En el procesador TransformXML de Apache NiFi versiones anteriores a 1.15.1, un usuario autenticado podía configurar un archivo XSLT que, si incluía llamadas a entidades externas maliciosas, podía revelar información confidencial • http://www.openwall.com/lists/oss-security/2021/12/17/1 https://nifi.apache.org/security.html#1.15.1-vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-27223 – jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
https://notcve.org/view.php?id=CVE-2020-27223
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. En Eclipse Jetty versiones 9.4.6.v20170531 hasta 9.4.36.v20210114 (inclusive), versiones 10.0.0 y 11.0.0, cuando Jetty maneja una petición que contiene múltiples encabezados Accept con una gran cantidad de parámetros “quality” (es decir, q), el servidor puede entrar en un estado de denegación de servicio (DoS) debido al alto uso de CPU procesando esos valores de calidad, resultando en minutos de tiempo de CPU agotados procesando esos valores de calidad • https://github.com/motikan2010/CVE-2020-27223 https://github.com/ttestoo/Jetty-CVE-2020-27223 https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7 https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E https://lists.apache.org/thread.html/r0b639bd9bfaea2650221 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •
CVE-2021-20190 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
https://notcve.org/view.php?id=CVE-2021-20190
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en jackson-databind versiones anteriores a 2.9.10.7. FasterXML maneja inapropiadamente la interacción entre los gadgets de serialización y escritura. • https://bugzilla.redhat.com/show_bug.cgi?id=1916633 https://github.com/FasterXML/jackson-databind/issues/2854 https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html https://security.netapp.com/advisory/ntap-20210219-0008 https://www.oracle.com//security-alerts/cpujul2021.html https://access.redhat.com/security/cve/CVE-2021-20190 • CWE-502: Deserialization of Untrusted Data •
CVE-2020-9491
https://notcve.org/view.php?id=CVE-2020-9491
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. En Apache NiFi versiones 1.2.0 hasta 1.11.4, la Interfaz de Usuario y la API de NiFi estaban protegidas al exigir TLS versión v1.2, así como las conexiones de escucha establecidas por procesadores como ListenHTTP, HandleHttpRequest, etc. Sin embargo, la comunicación intracluster, como la replicación de peticiones de clúster, Site -to-Site, y las colas de balanceo de carga continuaban admitiendo TLS versión v1.0 o v1.1 • https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E https://nifi.apache.org/security#CVE-2020-9491 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2020-13940
https://notcve.org/view.php?id=CVE-2020-13940
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). En Apache NiFi versiones 1.0.0 hasta 1.11.4, el administrador del servicio de notificación y varios objetos del autorizador de políticas y proveedor de grupos de usuarios permitieron a los administradores confiables configurar inadvertidamente un archivo XML potencialmente malicioso. El archivo XML tiene la capacidad de hacer llamadas externas a servicios (por medio de XXE) • https://nifi.apache.org/security#CVE-2020-13940 • CWE-611: Improper Restriction of XML External Entity Reference •