Package Instance

Deserialization of Untrusted Data
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.

Improper Input Validation
The `X-Frame-Options` headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

Cross-site Scripting
There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

Cross-site Scripting
A XSS vulnerability was found in Apache NiFi. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.

Improper Restriction of XML External Entity Reference
In Apache NiFi, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Improper Input Validation
A malicious `X-ProxyContextPath` or `X-Forwarded-Context` header containing external resources or embedded code could cause remote code execution.

Improper Restriction of XML External Entity Reference
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.

Inadequate Encryption Strength
In Apache NiFi, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However, intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Improper Input Validation
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.

Origin Validation Error
Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

Cross-site Scripting
The error page reflects the value of the HTTP request header `X-ProxyContextPath` without sanitization, resulting in a XSS attack.

Cross-Site Request Forgery (CSRF)
The template upload API endpoint accepts requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack.

Deserialization of Untrusted Data
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service.

Injection Vulnerability
The proxy chain `serialization/deserialization` is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

Improper Authentication
If an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.