Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.nifi/nifi@1.0.0

Type maven

Namespace org.apache.nifi

Name nifi

Version 1.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.5.0

Latest_non_vulnerable_version 1.24.0

Affected_by_vulnerabilities

url VCID-2ps4-jf7z-nqf1

vulnerability_id VCID-2ps4-jf7z-nqf1

summary

Deserialization of Untrusted Data
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-15703
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-15703

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-15703
reference_id	CVE-2017-15703
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-15703

fixed_packages

url	pkg:maven/org.apache.nifi/nifi@1.5.0
purl	pkg:maven/org.apache.nifi/nifi@1.5.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0

aliases CVE-2017-15703

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ps4-jf7z-nqf1

url VCID-49kq-6d3w-1ufx

vulnerability_id VCID-49kq-6d3w-1ufx

summary

Improper Input Validation
The `X-Frame-Options` headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

references

reference_url	https://nifi.apache.org/security.html#CVE-2018-17192
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2018-17192

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-17192
reference_id	CVE-2018-17192
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-17192

fixed_packages

url	pkg:maven/org.apache.nifi/nifi@1.7.0
purl	pkg:maven/org.apache.nifi/nifi@1.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.7.0

aliases CVE-2018-17192

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-49kq-6d3w-1ufx

url VCID-5yn9-8juq-mkd9

vulnerability_id VCID-5yn9-8juq-mkd9

summary

Cross-site Scripting
There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

references

reference_url	http://www.securityfocus.com/bid/99009
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99009

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-7665
reference_id	CVE-2017-7665
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-7665

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e3tg-8rmu-9ucb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7665

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yn9-8juq-mkd9

url VCID-cqqh-wp8z-jua2

vulnerability_id VCID-cqqh-wp8z-jua2

summary

Improper Input Validation
A malicious `X-ProxyContextPath` or `X-Forwarded-Context` header containing external resources or embedded code could cause remote code execution.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-15697
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-15697

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-15697
reference_id	CVE-2017-15697
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-15697

fixed_packages

url	pkg:maven/org.apache.nifi/nifi@1.5.0
purl	pkg:maven/org.apache.nifi/nifi@1.5.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0

aliases CVE-2017-15697

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cqqh-wp8z-jua2

url VCID-e3tg-8rmu-9ucb

vulnerability_id VCID-e3tg-8rmu-9ucb

summary

Improper Restriction of XML External Entity Reference
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-12623
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-12623

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-12623
reference_id	CVE-2017-12623
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-12623

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.4.0

purl pkg:maven/org.apache.nifi/nifi@1.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-jnfq-u9wb-k7dq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.4.0

aliases CVE-2017-12623

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e3tg-8rmu-9ucb

url VCID-ty4z-t2su-muc6

vulnerability_id VCID-ty4z-t2su-muc6

summary

Origin Validation Error
Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

references

reference_url	http://www.securityfocus.com/bid/99018
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99018

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-7667
reference_id	CVE-2017-7667
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-7667

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e3tg-8rmu-9ucb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7667

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ty4z-t2su-muc6

url VCID-uxfk-98ce-hfe8

vulnerability_id VCID-uxfk-98ce-hfe8

summary

Cross-site Scripting
The error page reflects the value of the HTTP request header `X-ProxyContextPath` without sanitization, resulting in a XSS attack.

references

reference_url	https://nifi.apache.org/security.html#CVE-2018-17193
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2018-17193

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-17193
reference_id	CVE-2018-17193
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-17193

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.8.0

purl pkg:maven/org.apache.nifi/nifi@1.8.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-qkvt-fdp4-uyd6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0

aliases CVE-2018-17193

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uxfk-98ce-hfe8

url VCID-y1sd-wp8g-afcn

vulnerability_id VCID-y1sd-wp8g-afcn

summary

Cross-Site Request Forgery (CSRF)
The template upload API endpoint accepts requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack.

references

reference_url	https://nifi.apache.org/security.html#CVE-2018-17195
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2018-17195

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-17195
reference_id	CVE-2018-17195
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-17195

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.8.0

purl pkg:maven/org.apache.nifi/nifi@1.8.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-qkvt-fdp4-uyd6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0

aliases CVE-2018-17195

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y1sd-wp8g-afcn

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.0.0

Package Instance