CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49145 – Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
https://notcve.org/view.php?id=CVE-2023-49145
27 Nov 2023 — Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. Apache NiFi 0.7.0 a 1.23.2 incluye el proc... • http://www.openwall.com/lists/oss-security/2023/11/27/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-36542 – Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources
https://notcve.org/view.php?id=CVE-2023-36542
29 Jul 2023 — Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the ne... • http://seclists.org/fulldisclosure/2023/Jul/43 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 75%CPEs: 1EXPL: 5CVE-2023-34468 – Apache NiFi: Potential Code Injection with Database Services using H2
https://notcve.org/view.php?id=CVE-2023-34468
12 Jun 2023 — The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://packetstorm.news/files/id/174398 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
10 Feb 2023 — The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
30 Apr 2022 — Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML d... • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44145 – Apache NiFi information disclosure by XXE
https://notcve.org/view.php?id=CVE-2021-44145
17 Dec 2021 — In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. En el procesador TransformXML de Apache NiFi versiones anteriores a 1.15.1, un usuario autenticado podía configurar un archivo XSLT que, si incluía llamadas a entidades externas maliciosas, podía revelar información confidencial • http://www.openwall.com/lists/oss-security/2021/12/17/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-9491
https://notcve.org/view.php?id=CVE-2020-9491
01 Oct 2020 — In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. En Apache NiFi versiones 1.2.0 hasta 1.11.4, la Interfaz de Usuario y la API de NiFi estaban protegidas al exigir TLS versión v1.2, así como las conexiones de escucha estab... • https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2020-13940
https://notcve.org/view.php?id=CVE-2020-13940
01 Oct 2020 — In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). En Apache NiFi versiones 1.0.0 hasta 1.11.4, el administrador del servicio de notificación y varios objetos del autorizador de políticas y proveedor de grupos de usuarios permitieron a los administradores confiables co... • https://nifi.apache.org/security#CVE-2020-13940 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9487
https://notcve.org/view.php?id=CVE-2020-9487
01 Oct 2020 — In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. En Apache NiFi versiones 1.0.0 hasta 1.11.4, el mecanismo del token de descarga de NiFi (contraseña de un solo uso) usaba un tamaño de caché fijo y no ... • https://nifi.apache.org/security#CVE-2020-9487 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9486
https://notcve.org/view.php?id=CVE-2020-9486
01 Oct 2020 — In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. En Apache NiFi versiones 1.10.0 hasta 1.11.4, el motor de ejecución sin estado de NiFi produjo una salida de registro que incluía valores de propiedad confidenciales. Cuando un flujo era activado, se imprimía la configuración de definición de ... • https://nifi.apache.org/security#CVE-2020-9486 • CWE-532: Insertion of Sensitive Information into Log File •