Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.nifi/nifi@0.2.0-incubating

Type maven

Namespace org.apache.nifi

Name nifi

Version 0.2.0-incubating

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.24.0

Latest_non_vulnerable_version 1.24.0

Affected_by_vulnerabilities

url VCID-5yn9-8juq-mkd9

vulnerability_id VCID-5yn9-8juq-mkd9

summary

Cross-site Scripting
There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-7665

reference_id

reference_type

scores

value	0.00876
scoring_system	epss
scoring_elements	0.75644
published_at	2026-06-04T12:55:00Z

value	0.00876
scoring_system	epss
scoring_elements	0.75672
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-7665

reference_url

https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E

reference_url

http://www.securityfocus.com/bid/99009

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/99009

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-7665

reference_id

CVE-2017-7665

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-7665

fixed_packages

url pkg:maven/org.apache.nifi/nifi@0.7.4

purl pkg:maven/org.apache.nifi/nifi@0.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8ybn-5kck-d7fz

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@0.7.4

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-babh-856u-5qcj

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-g7v6-tmrk-tuer

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7665, GHSA-m5r7-w9v3-ghmx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yn9-8juq-mkd9

url VCID-8ybn-5kck-d7fz

vulnerability_id VCID-8ybn-5kck-d7fz

summary

Cross-site Scripting
In Apache NiFi, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2016-8748

reference_id

reference_type

scores

value	0.00406
scoring_system	epss
scoring_elements	0.61403
published_at	2026-06-04T12:55:00Z

value	0.00406
scoring_system	epss
scoring_elements	0.6145
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2016-8748

reference_url

https://nifi.apache.org/security.html#CVE-2016-8748

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nifi.apache.org/security.html#CVE-2016-8748

reference_url

http://www.securityfocus.com/bid/95621

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/95621

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2016-8748

reference_id

CVE-2016-8748

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2016-8748

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.0.1

purl pkg:maven/org.apache.nifi/nifi@1.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-5yn9-8juq-mkd9

vulnerability	VCID-8ybn-5kck-d7fz

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-ty4z-t2su-muc6

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.0.1

url pkg:maven/org.apache.nifi/nifi@1.1.1

purl pkg:maven/org.apache.nifi/nifi@1.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-5yn9-8juq-mkd9

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-m99c-5n4v-w7ec

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-r6wb-vjgp-tubn

vulnerability	VCID-ty4z-t2su-muc6

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.1

aliases CVE-2016-8748, GHSA-g2fm-x3cp-mqw9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ybn-5kck-d7fz

url VCID-jmcf-m398-pqec

vulnerability_id VCID-jmcf-m398-pqec

summary

Improper Restriction of XML External Entity Reference
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - `EvaluateXPath` - `EvaluateXQuery` - `ValidateXml` Apache NiFi flow configurations that include these Processors is vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-29265

reference_id

reference_type

scores

value	0.0212
scoring_system	epss
scoring_elements	0.84449
published_at	2026-06-04T12:55:00Z

value	0.0212
scoring_system	epss
scoring_elements	0.84473
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-29265

reference_url

https://github.com/apache/nifi

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi

reference_url

https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl

reference_url

https://nifi.apache.org/security.html#CVE-2022-29265

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nifi.apache.org/security.html#CVE-2022-29265

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-29265

reference_id

CVE-2022-29265

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-29265

reference_url

https://github.com/advisories/GHSA-wc97-7623-rxwx

reference_id

GHSA-wc97-7623-rxwx

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wc97-7623-rxwx

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.16.1

purl pkg:maven/org.apache.nifi/nifi@1.16.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-jwv9-rx8x-jkf3

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-qkvt-fdp4-uyd6

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.16.1

aliases CVE-2022-29265, GHSA-wc97-7623-rxwx

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jmcf-m398-pqec

url VCID-jnfq-u9wb-k7dq

vulnerability_id VCID-jnfq-u9wb-k7dq

summary

Improper Input Validation
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-12632

reference_id

reference_type

scores

value	0.0053
scoring_system	epss
scoring_elements	0.6758
published_at	2026-06-04T12:55:00Z

value	0.0053
scoring_system	epss
scoring_elements	0.67621
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-12632

reference_url

https://nifi.apache.org/security.html#CVE-2017-12632

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nifi.apache.org/security.html#CVE-2017-12632

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-12632

reference_id

CVE-2017-12632

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-12632

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.5.0

purl pkg:maven/org.apache.nifi/nifi@1.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-babh-856u-5qcj

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-g7v6-tmrk-tuer

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0

aliases CVE-2017-12632, GHSA-w4x6-j349-9r57

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jnfq-u9wb-k7dq

url VCID-mm3u-4acx-e3hj

vulnerability_id VCID-mm3u-4acx-e3hj

summary

Apache NiFi Code Injection vulnerability
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-36542

reference_id

reference_type

scores

value	0.01177
scoring_system	epss
scoring_elements	0.79093
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-36542

reference_url

http://seclists.org/fulldisclosure/2023/Jul/43

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

http://seclists.org/fulldisclosure/2023/Jul/43

reference_url

https://github.com/apache/nifi

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi

reference_url

https://github.com/apache/nifi/commit/532578799c

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/commit/532578799c

reference_url

https://issues.apache.org/jira/browse/NIFI-11744

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/NIFI-11744

reference_url

https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof

reference_url

https://nifi.apache.org/security.html#CVE-2023-36542

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

https://nifi.apache.org/security.html#CVE-2023-36542

reference_url

http://www.openwall.com/lists/oss-security/2023/07/29/1

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

http://www.openwall.com/lists/oss-security/2023/07/29/1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-36542

reference_id

CVE-2023-36542

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-36542

reference_url	https://github.com/advisories/GHSA-r969-8v3h-23v9
reference_id	GHSA-r969-8v3h-23v9
reference_type
scores
url	https://github.com/advisories/GHSA-r969-8v3h-23v9

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.23.0

purl pkg:maven/org.apache.nifi/nifi@1.23.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-juu3-g6fp-1qhn

vulnerability	VCID-u3p9-su6e-efbw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.23.0

aliases CVE-2023-36542, GHSA-r969-8v3h-23v9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mm3u-4acx-e3hj

url VCID-n9ad-a71z-vfeh

vulnerability_id VCID-n9ad-a71z-vfeh

summary

Exposure of Sensitive Information to an Unauthorized Actor
In the TransformXML processor of Apache NiFi an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-44145

reference_id

reference_type

scores

value	0.00315
scoring_system	epss
scoring_elements	0.54884
published_at	2026-06-04T12:55:00Z

value	0.00315
scoring_system	epss
scoring_elements	0.54942
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-44145

reference_url

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nifi.apache.org/security.html#1.15.1-vulnerabilities

reference_url

http://www.openwall.com/lists/oss-security/2021/12/17/1

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/17/1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-44145

reference_id

CVE-2021-44145

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-44145

reference_url

https://github.com/advisories/GHSA-rq96-qhc5-vm4r

reference_id

GHSA-rq96-qhc5-vm4r

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rq96-qhc5-vm4r

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.15.1

purl pkg:maven/org.apache.nifi/nifi@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8vy1-a5st-abfb

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jwv9-rx8x-jkf3

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-qkvt-fdp4-uyd6

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.15.1

aliases CVE-2021-44145, GHSA-rq96-qhc5-vm4r

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n9ad-a71z-vfeh

url VCID-ty4z-t2su-muc6

vulnerability_id VCID-ty4z-t2su-muc6

summary

Origin Validation Error
Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-7667

reference_id

reference_type

scores

value	0.00392
scoring_system	epss
scoring_elements	0.60506
published_at	2026-06-04T12:55:00Z

value	0.00392
scoring_system	epss
scoring_elements	0.60554
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-7667

reference_url

https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E

reference_url

http://www.securityfocus.com/bid/99018

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/99018

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-7667

reference_id

CVE-2017-7667

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-7667

fixed_packages

url pkg:maven/org.apache.nifi/nifi@0.7.4

purl pkg:maven/org.apache.nifi/nifi@0.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8ybn-5kck-d7fz

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@0.7.4

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-babh-856u-5qcj

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-g7v6-tmrk-tuer

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-jnfq-u9wb-k7dq

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

vulnerability	VCID-y5yt-6b5k-6yar

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7667, GHSA-jvx9-rj3w-jq99

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ty4z-t2su-muc6

url VCID-uwnc-5qk4-eqgw

vulnerability_id VCID-uwnc-5qk4-eqgw

summary

Apache NiFi vulnerable to Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

references

reference_url

http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-34468

reference_id

reference_type

scores

value	0.78065
scoring_system	epss
scoring_elements	0.99035
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-34468

reference_url

https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468

reference_url

https://github.com/apache/nifi

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi

reference_url

https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361

reference_url

https://github.com/apache/nifi/pull/7349

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/pull/7349

reference_url

https://issues.apache.org/jira/browse/NIFI-11653

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/NIFI-11653

reference_url

https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_url

https://nifi.apache.org/security.html#CVE-2023-34468

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://nifi.apache.org/security.html#CVE-2023-34468

reference_url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_url

http://www.openwall.com/lists/oss-security/2023/06/12/3

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

http://www.openwall.com/lists/oss-security/2023/06/12/3

reference_url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

reference_id

apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-34468

reference_id

CVE-2023-34468

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-34468

reference_url	https://github.com/advisories/GHSA-xm2m-2q6h-22jw
reference_id	GHSA-xm2m-2q6h-22jw
reference_type
scores
url	https://github.com/advisories/GHSA-xm2m-2q6h-22jw

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.22.0

purl pkg:maven/org.apache.nifi/nifi@1.22.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-juu3-g6fp-1qhn

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-u3p9-su6e-efbw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0

aliases CVE-2023-34468, GHSA-xm2m-2q6h-22jw

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uwnc-5qk4-eqgw

url VCID-y5yt-6b5k-6yar

vulnerability_id VCID-y5yt-6b5k-6yar

summary

Deserialization of Untrusted Data
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-1310

reference_id

reference_type

scores

value	0.0184
scoring_system	epss
scoring_elements	0.83303
published_at	2026-06-04T12:55:00Z

value	0.0184
scoring_system	epss
scoring_elements	0.83329
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-1310

reference_url

https://nifi.apache.org/security.html#CVE-2018-1310

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nifi.apache.org/security.html#CVE-2018-1310

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-1310

reference_id

CVE-2018-1310

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-1310

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.6.0

purl pkg:maven/org.apache.nifi/nifi@1.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-49kq-6d3w-1ufx

vulnerability	VCID-babh-856u-5qcj

vulnerability	VCID-bgn1-6ac8-53b2

vulnerability	VCID-bj2c-k1hr-nycy

vulnerability	VCID-g7v6-tmrk-tuer

vulnerability	VCID-grt2-a9zv-gkck

vulnerability	VCID-gxag-kxb4-n7ge

vulnerability	VCID-jmcf-m398-pqec

vulnerability	VCID-mm3u-4acx-e3hj

vulnerability	VCID-n9ad-a71z-vfeh

vulnerability	VCID-u3p9-su6e-efbw

vulnerability	VCID-uwnc-5qk4-eqgw

vulnerability	VCID-uxfk-98ce-hfe8

vulnerability	VCID-y1sd-wp8g-afcn

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.6.0

aliases CVE-2018-1310, GHSA-p76j-5v6v-6c22

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y5yt-6b5k-6yar

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@0.2.0-incubating

Package Instance