Page 6 of 39 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Las cabeceras X-Frame-Options se aplicaron de forma inconsistente en algunas respuestas HTTP, lo que resulta en cabeceras de seguridad duplicadas o faltantes. • https://nifi.apache.org/security.html#CVE-2018-17192 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. La página de error message-page.jsp empleó el valor de la cabecera de petición HTTP X-ProxyContextPath sin sanear, lo que resulta en un ataque Cross-Site Scripting (XSS). Mitigación: La solución para analizar correctamente y sanear el valor del atributo de petición se aplicó en la distribución 1.8.0 de Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-17193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Cuando una petición de cliente a un nodo del clúster se replicó a otros nodos en el clúster para verificarlos, se redireccionó el Content-Length. • https://nifi.apache.org/security.html#CVE-2018-17194 • CWE-20: Improper Input Validation •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Hay un problema de XEE (XML External Entity) en el procesador SplitXML en Apache NiFi. • https://nifi.apache.org/security.html#CVE-2018-1309 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. • https://nifi.apache.org/security.html#CVE-2018-1310 • CWE-502: Deserialization of Untrusted Data •