CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10083
https://notcve.org/view.php?id=CVE-2019-10083
19 Nov 2019 — When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. Cuando se actualiza un Process Group por medio de la API en NiFi versiones 1.3.0 hasta 1.9.2, la respuesta a la petición incluye todos sus contenidos (en el nivel más alto, no de manera recursiva). La respuesta incluyó ... • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12421
https://notcve.org/view.php?id=CVE-2019-12421
19 Nov 2019 — When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. Cuando se utiliza un mecanismo de autenticación diferente de PKI, al momento que el usuario hace clic en el Log Out en NiFi versiones 1.0.0 hasta 1.9.2, NiFi invalida el token de autenti... • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E • CWE-613: Insufficient Session Expiration •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10080
https://notcve.org/view.php?id=CVE-2019-10080
19 Nov 2019 — The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. El XMLFileLookupService en NiFi versiones 1.3.0 hasta 1.9.2, permitió a usuarios confiables configurar inadvertidamente un archivo XML potencialmente malicioso. El archivo XML tiene la capacidad de... • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2019-10086 – apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
https://notcve.org/view.php?id=CVE-2019-10086
20 Aug 2019 — In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17192
https://notcve.org/view.php?id=CVE-2018-17192
19 Dec 2018 — The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Las cabeceras X-Frame-Options se aplicaron de forma inconsistente en algunas respuestas HTTP, lo que resul... • https://nifi.apache.org/security.html#CVE-2018-17192 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17194
https://notcve.org/view.php?id=CVE-2018-17194
19 Dec 2018 — When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to t... • https://nifi.apache.org/security.html#CVE-2018-17194 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17195
https://notcve.org/view.php?id=CVE-2018-17195
19 Dec 2018 — The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin ... • https://nifi.apache.org/security.html#CVE-2018-17195 • CWE-319: Cleartext Transmission of Sensitive Information CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17193
https://notcve.org/view.php?id=CVE-2018-17193
19 Dec 2018 — The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. La página de error message-page.jsp empleó el valor de la cabecera de petición HTTP X-ProxyContextPath sin sanear, lo que resulta en un ataque Cross-Site Scr... • https://nifi.apache.org/security.html#CVE-2018-17193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2018-1309
https://notcve.org/view.php?id=CVE-2018-1309
23 May 2018 — Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-1309 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-1310
https://notcve.org/view.php?id=CVE-2018-1310
23 May 2018 — Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •