CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17192
https://notcve.org/view.php?id=CVE-2018-17192
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Las cabeceras X-Frame-Options se aplicaron de forma inconsistente en algunas respuestas HTTP, lo que resulta en cabeceras de seguridad duplicadas o faltantes. • https://nifi.apache.org/security.html#CVE-2018-17192 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1309
https://notcve.org/view.php?id=CVE-2018-1309
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-1309 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1310
https://notcve.org/view.php?id=CVE-2018-1310
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15703
https://notcve.org/view.php?id=CVE-2017-15703
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cualquier usuario autenticado (certificado de cliente válido pero sin permisos de listas de control de acceso) podía cargar una plantilla que contenga código malicioso y provocar una denegación de servicio (DoS) mediante un ataque de deserialización de Java. La solución para manejar la deserialización de Java se aplicó en la distribución 1.4.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2017-15703 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12632
https://notcve.org/view.php?id=CVE-2017-12632
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera de host manipulada en una petición HTTP entrante podría provocar que NiFi cargue recursos de un servidor externo. La solución para sanear cabeceras de host y compararlas con una lista blanca controlada se aplicó en la versión 1.5.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2017-12632 • CWE-20: Improper Input Validation •