apache nifi vulnerabilities and exploits

(subscribe to this query)

In Apache NiFi prior to 0.7.4 and 1.x prior to 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

Apache Nifi Apache Nifi 1.0.0 Apache Nifi 1.0.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1 Apache Nifi 1.1.2 Apache Nifi 1.2.0

Apache NiFi prior to 0.7.4 and 1.x prior to 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

Apache Nifi Apache Nifi 1.0.0 Apache Nifi 1.0.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1 Apache Nifi 1.1.2 Apache Nifi 1.2.0

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should ...

Apache Nifi 1.0.0 Apache Nifi 1.0.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1 Apache Nifi 1.1.2 Apache Nifi 1.2.0 Apache Nifi 1.3.0

In Apache NiFi prior to 0.7.2 and 1.x prior to 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

Apache Nifi 0.7.0 Apache Nifi 0.7.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1

In Apache NiFi prior to 0.7.2 and 1.x prior to 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request t...

Apache Nifi 0.7.0 Apache Nifi 0.7.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1

In Apache NiFi prior to 1.0.1 and 1.1.x prior to 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

Apache Nifi Apache Nifi 1.1.0

Apache NiFi 1.10.0 up to and including 1.26.0 and 2.0.0-M1 up to and including 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arb...

Apache Nifi Apache Nifi 2.0.0

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is no...

Apache Nifi Apache Nifi Registry

Apache NiFi 1.10.0 up to and including 1.27.0 and 2.0.0-M1 up to and including 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, ...

Apache Nifi Apache Nifi 2.0.0

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Us...

1 2 3 4 5 NEXT »

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook