CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17195
https://notcve.org/view.php?id=CVE-2018-17195
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. El endpoint de la API de subida de plantillas aceptaba peticiones de diferentes dominios al enviarse junto con un ataque de suplantación de ARP y otro Man-in-the-Middle (MitM), lo que resulta en un ataque Cross-Site Request Forgery (CSRF). • https://nifi.apache.org/security.html#CVE-2018-17195 • CWE-319: Cleartext Transmission of Sensitive Information CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1309
https://notcve.org/view.php?id=CVE-2018-1309
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-1309 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1310
https://notcve.org/view.php?id=CVE-2018-1310
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15703
https://notcve.org/view.php?id=CVE-2017-15703
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cualquier usuario autenticado (certificado de cliente válido pero sin permisos de listas de control de acceso) podía cargar una plantilla que contenga código malicioso y provocar una denegación de servicio (DoS) mediante un ataque de deserialización de Java. La solución para manejar la deserialización de Java se aplicó en la distribución 1.4.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2017-15703 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12632
https://notcve.org/view.php?id=CVE-2017-12632
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Una cabecera de host manipulada en una petición HTTP entrante podría provocar que NiFi cargue recursos de un servidor externo. La solución para sanear cabeceras de host y compararlas con una lista blanca controlada se aplicó en la versión 1.5.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2017-12632 • CWE-20: Improper Input Validation •