CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17193
https://notcve.org/view.php?id=CVE-2018-17193
19 Dec 2018 — The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. La página de error message-page.jsp empleó el valor de la cabecera de petición HTTP X-ProxyContextPath sin sanear, lo que resulta en un ataque Cross-Site Scr... • https://nifi.apache.org/security.html#CVE-2018-17193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17194
https://notcve.org/view.php?id=CVE-2018-17194
19 Dec 2018 — When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to t... • https://nifi.apache.org/security.html#CVE-2018-17194 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17195
https://notcve.org/view.php?id=CVE-2018-17195
19 Dec 2018 — The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin ... • https://nifi.apache.org/security.html#CVE-2018-17195 • CWE-319: Cleartext Transmission of Sensitive Information CWE-863: Incorrect Authorization •