{"url":"http://public2.vulnerablecode.io/api/packages/24277?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.0.0","type":"maven","namespace":"org.apache.nifi","name":"nifi","version":"1.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.24.0","latest_non_vulnerable_version":"1.24.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8382?format=json","vulnerability_id":"VCID-1hne-dn7f-4yfy","summary":"Injection Vulnerability\nThe proxy chain `serialization/deserialization` is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5636","reference_id":"","reference_type":"","scores":[{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78982","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78914","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78899","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78889","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78917","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78915","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78912","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78942","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.7895","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78966","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78842","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78849","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78877","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78859","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78884","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01198","scoring_system":"epss","scoring_elements":"0.78891","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5636"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-5636","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-5636"},{"reference_url":"http://www.securityfocus.com/bid/96731","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/96731"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5636","reference_id":"CVE-2017-5636","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5636"},{"reference_url":"https://github.com/advisories/GHSA-jrcc-7jf5-3pxg","reference_id":"GHSA-jrcc-7jf5-3pxg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jrcc-7jf5-3pxg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24280?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-r9su-47z6-x7cw"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-tnfn-2kzc-rugx"},{"vulnerability":"VCID-w18h-3c8s-s3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.2"}],"aliases":["CVE-2017-5636","GHSA-jrcc-7jf5-3pxg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1hne-dn7f-4yfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4832?format=json","vulnerability_id":"VCID-2dsr-hras-zudk","summary":"The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17195","reference_id":"","reference_type":"","scores":[{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58372","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.5845","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58456","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58474","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58454","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58435","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58467","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58472","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58449","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.5841","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58423","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58408","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58319","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58404","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58424","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58398","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17195"},{"reference_url":"https://github.com/advisories/GHSA-3jq8-jg75-rqv6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3jq8-jg75-rqv6"},{"reference_url":"https://github.com/apache/nifi/commit/246c090526143943557b15868db6e8fe3fb30cf6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/246c090526143943557b15868db6e8fe3fb30cf6"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5595","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5595"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17195","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17195"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17195","reference_id":"CVE-2018-17195","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17195"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17195","GHSA-3jq8-jg75-rqv6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2dsr-hras-zudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52506?format=json","vulnerability_id":"VCID-2ema-4jrp-3kfr","summary":"Inadequate Encryption Strength in Apache NiFi\nIn Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79972","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79852","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7984","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79868","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79876","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79897","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7988","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79872","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79901","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79902","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79905","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79934","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7994","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79957","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79823","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7983","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9491"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/441781cec50f77d9f1e65093f55bbd614b8c5ec6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/441781cec50f77d9f1e65093f55bbd614b8c5ec6"},{"reference_url":"https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://nifi.apache.org/security#CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security#CVE-2020-9491"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9491"},{"reference_url":"https://github.com/advisories/GHSA-rfmp-jvr7-hx78","reference_id":"GHSA-rfmp-jvr7-hx78","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfmp-jvr7-hx78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80226?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/215703?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0"}],"aliases":["CVE-2020-9491","GHSA-rfmp-jvr7-hx78"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ema-4jrp-3kfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17849?format=json","vulnerability_id":"VCID-3eka-p4cs-f3dz","summary":"Apache NiFi vulnerable to Code Injection\nThe DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.\n\nThe resolution validates the Database URL and rejects H2 JDBC locations.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.","references":[{"reference_url":"http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98973","published_at":"2026-04-13T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98967","published_at":"2026-04-04T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98974","published_at":"2026-04-16T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98975","published_at":"2026-04-21T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98969","published_at":"2026-04-07T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98971","published_at":"2026-04-09T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98972","published_at":"2026-04-12T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98965","published_at":"2026-04-02T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99009","published_at":"2026-04-24T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99017","published_at":"2026-05-05T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99013","published_at":"2026-04-29T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99011","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34468"},{"reference_url":"https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361"},{"reference_url":"https://github.com/apache/nifi/pull/7349","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/7349"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-11653","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-11653"},{"reference_url":"https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://nifi.apache.org/security.html#CVE-2023-34468"},{"reference_url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/06/12/3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/06/12/3"},{"reference_url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/","reference_id":"apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34468","reference_id":"CVE-2023-34468","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34468"},{"reference_url":"https://github.com/advisories/GHSA-xm2m-2q6h-22jw","reference_id":"GHSA-xm2m-2q6h-22jw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xm2m-2q6h-22jw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57917?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-ues1-6z47-q7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0"}],"aliases":["CVE-2023-34468","GHSA-xm2m-2q6h-22jw"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3eka-p4cs-f3dz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8347?format=json","vulnerability_id":"VCID-3rp1-pc25-euhm","summary":"Improper Restriction of XML External Entity Reference\nAn authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12623","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53189","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53265","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53303","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53309","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53289","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5326","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53271","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53232","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53181","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53205","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5323","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53197","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5325","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53245","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53296","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53282","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12623"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-12623","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-12623"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12623","reference_id":"CVE-2017-12623","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12623"},{"reference_url":"https://github.com/advisories/GHSA-qj7f-j6h9-g5rq","reference_id":"GHSA-qj7f-j6h9-g5rq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qj7f-j6h9-g5rq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25020?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-w18h-3c8s-s3eq"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.4.0"}],"aliases":["CVE-2017-12623","GHSA-qj7f-j6h9-g5rq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3rp1-pc25-euhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8385?format=json","vulnerability_id":"VCID-4fnm-bxv8-vqhz","summary":"Cross-site Scripting\nIn Apache NiFi, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8748","reference_id":"","reference_type":"","scores":[{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61051","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61089","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.6111","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61096","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61077","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61119","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61125","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61109","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61097","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61102","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.60953","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.6103","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61059","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61025","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00406","scoring_system":"epss","scoring_elements":"0.61073","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8748"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2016-8748","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2016-8748"},{"reference_url":"http://www.securityfocus.com/bid/95621","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/95621"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8748","reference_id":"CVE-2016-8748","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:S/C:N/I:P/A:N"},{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8748"},{"reference_url":"https://github.com/advisories/GHSA-g2fm-x3cp-mqw9","reference_id":"GHSA-g2fm-x3cp-mqw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g2fm-x3cp-mqw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24278?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-4fnm-bxv8-vqhz"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-r9su-47z6-x7cw"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-tnfn-2kzc-rugx"},{"vulnerability":"VCID-w18h-3c8s-s3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/25061?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1hne-dn7f-4yfy"},{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-r9su-47z6-x7cw"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-tnfn-2kzc-rugx"},{"vulnerability":"VCID-w18h-3c8s-s3eq"},{"vulnerability":"VCID-xv8d-3nef-dygg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.1"}],"aliases":["CVE-2016-8748","GHSA-g2fm-x3cp-mqw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4fnm-bxv8-vqhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5055?format=json","vulnerability_id":"VCID-6mt2-4tn4-5bcb","summary":"The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17193","reference_id":"","reference_type":"","scores":[{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81729","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.8158","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81601","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81598","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81626","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81631","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81651","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81639","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81632","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.8167","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81674","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81697","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81706","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81711","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81568","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17193"},{"reference_url":"https://github.com/advisories/GHSA-4qq9-rrq6-48ff","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qq9-rrq6-48ff"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5442","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5442"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17193","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17193"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17193","reference_id":"CVE-2018-17193","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17193"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17193","GHSA-4qq9-rrq6-48ff"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mt2-4tn4-5bcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52510?format=json","vulnerability_id":"VCID-bppj-knks-jybe","summary":"Improper Restriction of XML External Entity Reference in Apache NiFi\nIn Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76542","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76473","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76509","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76513","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76501","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76535","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76541","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76554","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.7641","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76413","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76441","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76423","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76455","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76469","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76495","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13940"},{"reference_url":"https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798"},{"reference_url":"https://nifi.apache.org/security#CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security#CVE-2020-13940"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13940"},{"reference_url":"https://github.com/advisories/GHSA-q4xf-3pmq-3hw8","reference_id":"GHSA-q4xf-3pmq-3hw8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4xf-3pmq-3hw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80226?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/215703?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0"}],"aliases":["CVE-2020-13940","GHSA-q4xf-3pmq-3hw8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bppj-knks-jybe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14007?format=json","vulnerability_id":"VCID-bpqd-tx8f-kycf","summary":"Improper Restriction of XML External Entity Reference\nMultiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - `EvaluateXPath` - `EvaluateXQuery` - `ValidateXml` Apache NiFi flow configurations that include these Processors is vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29265","reference_id":"","reference_type":"","scores":[{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84221","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84146","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84141","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84136","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84159","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.8416","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84164","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84189","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84196","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84201","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84081","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84098","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.841","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84123","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84129","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29265"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2022-29265","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2022-29265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29265","reference_id":"CVE-2022-29265","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29265"},{"reference_url":"https://github.com/advisories/GHSA-wc97-7623-rxwx","reference_id":"GHSA-wc97-7623-rxwx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wc97-7623-rxwx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50091?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.16.1"}],"aliases":["CVE-2022-29265","GHSA-wc97-7623-rxwx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bpqd-tx8f-kycf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52496?format=json","vulnerability_id":"VCID-cg2v-phw4-ake2","summary":"Missing Authentication for Critical Function in Apache NiFi\nIn Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9487","reference_id":"","reference_type":"","scores":[{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70417","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70351","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70394","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70403","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70384","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70434","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70444","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70443","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70288","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70301","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70318","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70296","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70341","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70356","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70379","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00633","scoring_system":"epss","scoring_elements":"0.70364","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9487"},{"reference_url":"https://github.com/apache/nifi/commit/01e42dfb3291c3a3549023edadafd2d8023f3042","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/01e42dfb3291c3a3549023edadafd2d8023f3042"},{"reference_url":"https://github.com/apache/nifi/pull/4271","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/nifi/pull/4271"},{"reference_url":"https://nifi.apache.org/security#CVE-2020-9487","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security#CVE-2020-9487"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9487","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9487"},{"reference_url":"https://github.com/advisories/GHSA-3pp3-77j6-8ph6","reference_id":"GHSA-3pp3-77j6-8ph6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pp3-77j6-8ph6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80226?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0-RC1"}],"aliases":["CVE-2020-9487","GHSA-3pp3-77j6-8ph6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cg2v-phw4-ake2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52447?format=json","vulnerability_id":"VCID-gqjq-sbf1-x7ew","summary":"Cross-site scripting in Apache NiFi\nA XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65377","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.6534","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65376","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65387","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65371","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65388","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65401","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65398","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65259","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65309","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65334","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65298","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.6535","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65362","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65381","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65368","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1933"},{"reference_url":"https://github.com/apache/nifi/pull/3991","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/3991"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2020-1933"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1933"},{"reference_url":"https://github.com/advisories/GHSA-pqhq-xx62-2v2p","reference_id":"GHSA-pqhq-xx62-2v2p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqhq-xx62-2v2p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80194?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.11.0"}],"aliases":["CVE-2020-1933","GHSA-pqhq-xx62-2v2p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gqjq-sbf1-x7ew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19954?format=json","vulnerability_id":"VCID-hy35-v2p5-2ycq","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nApache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary\nJavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49145","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52552","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52507","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52565","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52602","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52641","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52656","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52649","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52545","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52578","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.5261","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52625","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52642","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52591","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52597","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49145"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f"},{"reference_url":"https://github.com/apache/nifi/pull/8060","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/8060"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-12403","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-12403"},{"reference_url":"https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-49145","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2023-49145"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/27/5","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/27/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49145","reference_id":"CVE-2023-49145","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49145"},{"reference_url":"https://github.com/advisories/GHSA-68pr-6fjc-wmgm","reference_id":"GHSA-68pr-6fjc-wmgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68pr-6fjc-wmgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61314?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.24.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.24.0"}],"aliases":["CVE-2023-49145","GHSA-68pr-6fjc-wmgm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hy35-v2p5-2ycq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9053?format=json","vulnerability_id":"VCID-j263-1hyr-t7hn","summary":"Deserialization of Untrusted Data\nApache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1310","reference_id":"","reference_type":"","scores":[{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83053","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82952","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82991","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.8299","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82994","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83016","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83024","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.8303","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82888","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82905","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82917","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82913","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82939","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82946","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82961","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82956","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1310"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-1310","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-1310"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1310","reference_id":"CVE-2018-1310","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1310"},{"reference_url":"https://github.com/advisories/GHSA-p76j-5v6v-6c22","reference_id":"GHSA-p76j-5v6v-6c22","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p76j-5v6v-6c22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27859?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.6.0"}],"aliases":["CVE-2018-1310","GHSA-p76j-5v6v-6c22"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j263-1hyr-t7hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8714?format=json","vulnerability_id":"VCID-k1bm-1u7b-vybp","summary":"Improper Input Validation\nA malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12632","reference_id":"","reference_type":"","scores":[{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67267","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67235","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67282","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67262","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67292","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67294","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67162","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.672","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67224","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67251","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67265","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67284","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.6727","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12632"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-12632","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-12632"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12632","reference_id":"CVE-2017-12632","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12632"},{"reference_url":"https://github.com/advisories/GHSA-w4x6-j349-9r57","reference_id":"GHSA-w4x6-j349-9r57","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w4x6-j349-9r57"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-12632","GHSA-w4x6-j349-9r57"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k1bm-1u7b-vybp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7976?format=json","vulnerability_id":"VCID-r9su-47z6-x7cw","summary":"Origin Validation Error\nApache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7667","reference_id":"","reference_type":"","scores":[{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60163","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60197","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60237","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60244","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60232","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60202","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60218","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60206","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60071","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60149","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60174","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60143","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60193","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60207","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60228","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60215","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7667"},{"reference_url":"https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E"},{"reference_url":"http://www.securityfocus.com/bid/99018","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/99018"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7667","reference_id":"CVE-2017-7667","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7667"},{"reference_url":"https://github.com/advisories/GHSA-jvx9-rj3w-jq99","reference_id":"GHSA-jvx9-rj3w-jq99","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jvx9-rj3w-jq99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24283?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-w18h-3c8s-s3eq"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0"}],"aliases":["CVE-2017-7667","GHSA-jvx9-rj3w-jq99"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9su-47z6-x7cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4824?format=json","vulnerability_id":"VCID-rj21-6d19-gqbe","summary":"The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17192","reference_id":"","reference_type":"","scores":[{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74104","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73978","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74012","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74026","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74049","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.7403","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74023","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74062","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74071","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74063","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74096","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73974","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73981","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74007","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17192"},{"reference_url":"https://github.com/advisories/GHSA-2xpp-75vr-22vq","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xpp-75vr-22vq"},{"reference_url":"https://github.com/apache/nifi/commit/dbf259508c2b8e176d8cb837177aaadbf44f0670","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/dbf259508c2b8e176d8cb837177aaadbf44f0670"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5258","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5258"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17192","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17192"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17192","reference_id":"CVE-2018-17192","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17192"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34100?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17192","GHSA-2xpp-75vr-22vq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rj21-6d19-gqbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8716?format=json","vulnerability_id":"VCID-rjau-hbsn-u3ah","summary":"Improper Input Validation\nA malicious `X-ProxyContextPath` or `X-Forwarded-Context` header containing external resources or embedded code could cause remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15697","reference_id":"","reference_type":"","scores":[{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85276","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85231","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85232","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85254","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85263","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85261","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85141","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85153","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85171","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85172","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85194","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85202","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85216","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85214","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.8521","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15697"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-15697","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-15697"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15697","reference_id":"CVE-2017-15697","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15697"},{"reference_url":"https://github.com/advisories/GHSA-29ph-fjf3-c5cm","reference_id":"GHSA-29ph-fjf3-c5cm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29ph-fjf3-c5cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-15697","GHSA-29ph-fjf3-c5cm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rjau-hbsn-u3ah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11880?format=json","vulnerability_id":"VCID-rn4r-36ab-sfey","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nIn the TransformXML processor of Apache NiFi an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44145","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54524","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54595","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54632","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54634","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54612","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54582","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54599","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54577","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54509","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54581","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54605","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54574","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54625","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.5462","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54633","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54616","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44145"},{"reference_url":"https://nifi.apache.org/security.html#1.15.1-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#1.15.1-vulnerabilities"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/17/1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/17/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44145","reference_id":"CVE-2021-44145","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44145"},{"reference_url":"https://github.com/advisories/GHSA-rq96-qhc5-vm4r","reference_id":"GHSA-rq96-qhc5-vm4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq96-qhc5-vm4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42521?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-dmw5-6pw6-j3d6"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.15.1"}],"aliases":["CVE-2021-44145","GHSA-rq96-qhc5-vm4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rn4r-36ab-sfey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18547?format=json","vulnerability_id":"VCID-rv8f-q4a4-xqbk","summary":"Apache NiFi Code Injection vulnerability\nApache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36542","reference_id":"","reference_type":"","scores":[{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76429","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76519","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76419","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76515","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76479","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76501","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76475","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76461","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76448","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76507","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78703","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78678","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78686","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78723","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36542"},{"reference_url":"http://seclists.org/fulldisclosure/2023/Jul/43","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/532578799c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/532578799c"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-11744","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-11744"},{"reference_url":"https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-36542","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"https://nifi.apache.org/security.html#CVE-2023-36542"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/07/29/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/07/29/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36542","reference_id":"CVE-2023-36542","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36542"},{"reference_url":"https://github.com/advisories/GHSA-r969-8v3h-23v9","reference_id":"GHSA-r969-8v3h-23v9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r969-8v3h-23v9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59199?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-ues1-6z47-q7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.23.0"}],"aliases":["CVE-2023-36542","GHSA-r969-8v3h-23v9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rv8f-q4a4-xqbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7974?format=json","vulnerability_id":"VCID-tnfn-2kzc-rugx","summary":"Cross-site Scripting\nThere are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7665","reference_id":"","reference_type":"","scores":[{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73131","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73162","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73141","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75379","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.7529","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75329","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75336","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75327","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75362","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75367","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75371","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75249","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75292","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75302","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75323","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00876","scoring_system":"epss","scoring_elements":"0.75301","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7665"},{"reference_url":"https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E"},{"reference_url":"http://www.securityfocus.com/bid/99009","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/99009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7665","reference_id":"CVE-2017-7665","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7665"},{"reference_url":"https://github.com/advisories/GHSA-m5r7-w9v3-ghmx","reference_id":"GHSA-m5r7-w9v3-ghmx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5r7-w9v3-ghmx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24283?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-w18h-3c8s-s3eq"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0"}],"aliases":["CVE-2017-7665","GHSA-m5r7-w9v3-ghmx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tnfn-2kzc-rugx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8729?format=json","vulnerability_id":"VCID-w18h-3c8s-s3eq","summary":"Deserialization of Untrusted Data\nAny authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15703","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.28993","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29316","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29203","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29138","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29543","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2961","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29659","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2948","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29581","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29584","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29538","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29485","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29504","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29477","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29431","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15703"},{"reference_url":"https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-15703","reference_id":"","reference_type":"","scores":[],"url":"https://nifi.apache.org/security.html#CVE-2017-15703"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15703","reference_id":"CVE-2017-15703","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15703"},{"reference_url":"https://github.com/advisories/GHSA-xwx6-vmj4-5rv8","reference_id":"GHSA-xwx6-vmj4-5rv8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xwx6-vmj4-5rv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-15703","GHSA-xwx6-vmj4-5rv8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w18h-3c8s-s3eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8384?format=json","vulnerability_id":"VCID-xv8d-3nef-dygg","summary":"Improper Authentication\nIf an anonymous user request is replicated to another node, the originating node identity is used rather than the \"anonymous\" user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5635","reference_id":"","reference_type":"","scores":[{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64209","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64196","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.6421","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64199","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64205","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64217","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64204","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64224","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64238","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64237","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64086","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.64142","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.6417","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.6413","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00462","scoring_system":"epss","scoring_elements":"0.6418","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5635"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-5635","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-5635"},{"reference_url":"http://www.securityfocus.com/bid/96730","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/96730"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:0.7.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5635","reference_id":"CVE-2017-5635","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5635"},{"reference_url":"https://github.com/advisories/GHSA-jgj9-6v78-6g8m","reference_id":"GHSA-jgj9-6v78-6g8m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jgj9-6v78-6g8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24280?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-3rp1-pc25-euhm"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-r9su-47z6-x7cw"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-tnfn-2kzc-rugx"},{"vulnerability":"VCID-w18h-3c8s-s3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.2"}],"aliases":["CVE-2017-5635","GHSA-jgj9-6v78-6g8m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xv8d-3nef-dygg"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.0.0"}