CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 0CVE-2024-37389 – Apache NiFi: Improper Neutralization of Input in Parameter Context Description
https://notcve.org/view.php?id=CVE-2024-37389
08 Jul 2024 — Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation. Apache NiFi 1.10.0 a 1.26.0 y 2.0.0-M1 a 2.0.0-M3 admiten un camp... • https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49145 – Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
https://notcve.org/view.php?id=CVE-2023-49145
27 Nov 2023 — Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. Apache NiFi 0.7.0 a 1.23.2 incluye el proc... • http://www.openwall.com/lists/oss-security/2023/11/27/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-36542 – Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources
https://notcve.org/view.php?id=CVE-2023-36542
29 Jul 2023 — Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the ne... • http://seclists.org/fulldisclosure/2023/Jul/43 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34212 – Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components
https://notcve.org/view.php?id=CVE-2023-34212
12 Jun 2023 — The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://github.com/mbadanoiu/CVE-2023-34212 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 75%CPEs: 1EXPL: 5CVE-2023-34468 – Apache NiFi: Potential Code Injection with Database Services using H2
https://notcve.org/view.php?id=CVE-2023-34468
12 Jun 2023 — The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://packetstorm.news/files/id/174398 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
10 Feb 2023 — The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2022-33140 – Improper Neutralization of Command Elements in Shell User Group Provider
https://notcve.org/view.php?id=CVE-2022-33140
15 Jun 2022 — The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with el... • https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
30 Apr 2022 — Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML d... • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44145 – Apache NiFi information disclosure by XXE
https://notcve.org/view.php?id=CVE-2021-44145
17 Dec 2021 — In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. En el procesador TransformXML de Apache NiFi versiones anteriores a 1.15.1, un usuario autenticado podía configurar un archivo XSLT que, si incluía llamadas a entidades externas maliciosas, podía revelar información confidencial • http://www.openwall.com/lists/oss-security/2021/12/17/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 22%CPEs: 23EXPL: 4CVE-2020-27223 – jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
https://notcve.org/view.php?id=CVE-2020-27223
26 Feb 2021 — In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. En Eclipse Jetty versiones 9.4.6.v20170531 hasta 9.4.36.v20210114 (inclusive), versiones 10.0.0 y 11.0.0, cuando Jetty maneja... • https://github.com/motikan2010/CVE-2020-27223 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •