CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2019-10086 – apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
https://notcve.org/view.php?id=CVE-2019-10086
20 Aug 2019 — In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17192
https://notcve.org/view.php?id=CVE-2018-17192
19 Dec 2018 — The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Las cabeceras X-Frame-Options se aplicaron de forma inconsistente en algunas respuestas HTTP, lo que resul... • https://nifi.apache.org/security.html#CVE-2018-17192 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17193
https://notcve.org/view.php?id=CVE-2018-17193
19 Dec 2018 — The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. La página de error message-page.jsp empleó el valor de la cabecera de petición HTTP X-ProxyContextPath sin sanear, lo que resulta en un ataque Cross-Site Scr... • https://nifi.apache.org/security.html#CVE-2018-17193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17194
https://notcve.org/view.php?id=CVE-2018-17194
19 Dec 2018 — When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to t... • https://nifi.apache.org/security.html#CVE-2018-17194 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17195
https://notcve.org/view.php?id=CVE-2018-17195
19 Dec 2018 — The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin ... • https://nifi.apache.org/security.html#CVE-2018-17195 • CWE-319: Cleartext Transmission of Sensitive Information CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2018-1309
https://notcve.org/view.php?id=CVE-2018-1309
23 May 2018 — Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-1309 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-1310
https://notcve.org/view.php?id=CVE-2018-1310
23 May 2018 — Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15703
https://notcve.org/view.php?id=CVE-2017-15703
25 Jan 2018 — Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cualquier usuario autenticado (certificado de cliente válido pero sin permisos de listas de control de acceso) podía cargar una plantilla que co... • https://nifi.apache.org/security.html#CVE-2017-15703 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15697
https://notcve.org/view.php?id=CVE-2017-15697
23 Jan 2018 — A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera X-ProxyContextPath o X-Forwarded-Context maliciosa que contenga recursos externos o código embebido puede provocar la ejecución remota de código. La solución para gestionar apropiadamente esta... • https://nifi.apache.org/security.html#CVE-2017-15697 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12632
https://notcve.org/view.php?id=CVE-2017-12632
23 Jan 2018 — A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera de host manipulada en una petición HTTP entrante podría provocar que NiFi cargue recursos de un servidor externo. La solución para sanear cabeceras de host y compararlas con una lista blanca co... • https://nifi.apache.org/security.html#CVE-2017-12632 • CWE-20: Improper Input Validation •