CVE-2020-1933
https://notcve.org/view.php?id=CVE-2020-1933
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. Se detectó una vulnerabilidad de tipo XSS en Apache NiFi versiones 1.0.0 hasta 1.10.0. Pueden ser inyectados scripts maliciosos en la interfaz de usuario por medio de una acción por parte de un usuario autenticado desprevenido en Firefox. • https://nifi.apache.org/security.html#CVE-2020-1933 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12421
https://notcve.org/view.php?id=CVE-2019-12421
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. Cuando se utiliza un mecanismo de autenticación diferente de PKI, al momento que el usuario hace clic en el Log Out en NiFi versiones 1.0.0 hasta 1.9.2, NiFi invalida el token de autenticación en el lado del cliente pero no en el lado del servidor. Esto permite que el token del lado del cliente del usuario sea usado hasta 12 horas después de cerrar sesión para llevar a cabo peticiones de la API a NiFi. • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E https://nifi.apache.org/security.html#CVE-2019-12421 • CWE-613: Insufficient Session Expiration •
CVE-2018-17192
https://notcve.org/view.php?id=CVE-2018-17192
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Las cabeceras X-Frame-Options se aplicaron de forma inconsistente en algunas respuestas HTTP, lo que resulta en cabeceras de seguridad duplicadas o faltantes. • https://nifi.apache.org/security.html#CVE-2018-17192 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2018-17193
https://notcve.org/view.php?id=CVE-2018-17193
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. La página de error message-page.jsp empleó el valor de la cabecera de petición HTTP X-ProxyContextPath sin sanear, lo que resulta en un ataque Cross-Site Scripting (XSS). Mitigación: La solución para analizar correctamente y sanear el valor del atributo de petición se aplicó en la distribución 1.8.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-17193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17194
https://notcve.org/view.php?id=CVE-2018-17194
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cuando una petición de cliente a un nodo del clúster se replicó a otros nodos en el clúster para verificarlos, se redireccionó el Content-Length. • https://nifi.apache.org/security.html#CVE-2018-17194 • CWE-20: Improper Input Validation •