Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache nifi vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2020-9491
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and ...
Apache Nifi
NA
CVE-2023-34468
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 up to and including 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Databas...
Apache Nifi
1 Github repository
NA
CVE-2023-40037
Apache NiFi 1.21.0 up to and including 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connecti...
Apache Nifi
3 Github repositories
NA
CVE-2023-49145
Apache NiFi 0.7.0 up to and including 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Process...
Apache Nifi
4.3
CVSSv2
CVE-2018-17192
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security heade...
Apache Nifi
4.3
CVSSv2
CVE-2018-17193
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Us...
Apache Nifi
5
CVSSv2
CVE-2018-17194
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait f...
Apache Nifi
5.1
CVSSv2
CVE-2018-17195
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, s...
Apache Nifi
NA
CVE-2023-34212
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 up to and including 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untruste...
Apache Nifi
3 Github repositories
6.5
CVSSv2
CVE-2019-12421
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hou...
Apache Nifi
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
firmware
CVE-2023-52866
CVE-2024-4367
CVE-2024-1721
CVE-2023-34992
XML injection
CVE-2023-52817
SQL
CVE-2023-52855
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
NEXT »