{"url":"http://public2.vulnerablecode.io/api/packages/25020?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.4.0","type":"maven","namespace":"org.apache.nifi","name":"nifi","version":"1.4.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.24.0","latest_non_vulnerable_version":"1.24.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4832?format=json","vulnerability_id":"VCID-2dsr-hras-zudk","summary":"The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17195","reference_id":"","reference_type":"","scores":[{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58372","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.5845","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58456","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58474","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58454","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58435","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58467","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58472","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58449","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.5841","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58423","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58408","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58319","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58404","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58424","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58398","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17195"},{"reference_url":"https://github.com/advisories/GHSA-3jq8-jg75-rqv6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3jq8-jg75-rqv6"},{"reference_url":"https://github.com/apache/nifi/commit/246c090526143943557b15868db6e8fe3fb30cf6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/246c090526143943557b15868db6e8fe3fb30cf6"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5595","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5595"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17195","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17195"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17195","reference_id":"CVE-2018-17195","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17195"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17195","GHSA-3jq8-jg75-rqv6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2dsr-hras-zudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52506?format=json","vulnerability_id":"VCID-2ema-4jrp-3kfr","summary":"Inadequate Encryption Strength in Apache NiFi\nIn Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79972","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79852","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7984","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79868","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79876","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79897","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7988","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79872","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79901","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79902","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79905","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79934","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7994","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79957","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.79823","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0132","scoring_system":"epss","scoring_elements":"0.7983","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9491"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/441781cec50f77d9f1e65093f55bbd614b8c5ec6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/441781cec50f77d9f1e65093f55bbd614b8c5ec6"},{"reference_url":"https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://nifi.apache.org/security#CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security#CVE-2020-9491"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9491","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9491"},{"reference_url":"https://github.com/advisories/GHSA-rfmp-jvr7-hx78","reference_id":"GHSA-rfmp-jvr7-hx78","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfmp-jvr7-hx78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80226?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/215703?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0"}],"aliases":["CVE-2020-9491","GHSA-rfmp-jvr7-hx78"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ema-4jrp-3kfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17849?format=json","vulnerability_id":"VCID-3eka-p4cs-f3dz","summary":"Apache NiFi vulnerable to Code Injection\nThe DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.\n\nThe resolution validates the Database URL and rejects H2 JDBC locations.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.","references":[{"reference_url":"http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98973","published_at":"2026-04-13T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98967","published_at":"2026-04-04T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98974","published_at":"2026-04-16T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98975","published_at":"2026-04-21T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98969","published_at":"2026-04-07T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98971","published_at":"2026-04-09T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98972","published_at":"2026-04-12T12:55:00Z"},{"value":"0.77205","scoring_system":"epss","scoring_elements":"0.98965","published_at":"2026-04-02T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99009","published_at":"2026-04-24T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99017","published_at":"2026-05-05T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99013","published_at":"2026-04-29T12:55:00Z"},{"value":"0.77812","scoring_system":"epss","scoring_elements":"0.99011","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34468"},{"reference_url":"https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361"},{"reference_url":"https://github.com/apache/nifi/pull/7349","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/7349"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-11653","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-11653"},{"reference_url":"https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-34468","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://nifi.apache.org/security.html#CVE-2023-34468"},{"reference_url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/06/12/3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/06/12/3"},{"reference_url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/","reference_id":"apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/"}],"url":"https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34468","reference_id":"CVE-2023-34468","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34468"},{"reference_url":"https://github.com/advisories/GHSA-xm2m-2q6h-22jw","reference_id":"GHSA-xm2m-2q6h-22jw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xm2m-2q6h-22jw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57917?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-ues1-6z47-q7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0"}],"aliases":["CVE-2023-34468","GHSA-xm2m-2q6h-22jw"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3eka-p4cs-f3dz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50560?format=json","vulnerability_id":"VCID-4v3d-ugqf-uyag","summary":"Apache NiFi information disclosure by XXE\nThe XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10080","reference_id":"","reference_type":"","scores":[{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61763","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.6176","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61779","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61794","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61815","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61802","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61783","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61825","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.6183","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61813","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61808","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61826","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61818","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.61656","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.6173","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10080"},{"reference_url":"https://github.com/apache/nifi/pull/3507","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/3507"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2019-10080","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2019-10080"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10080","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10080"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-744r-vv2g-2x6g","reference_id":"GHSA-744r-vv2g-2x6g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-744r-vv2g-2x6g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78830?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.10.0"}],"aliases":["CVE-2019-10080","GHSA-744r-vv2g-2x6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4v3d-ugqf-uyag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5055?format=json","vulnerability_id":"VCID-6mt2-4tn4-5bcb","summary":"The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17193","reference_id":"","reference_type":"","scores":[{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81729","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.8158","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81601","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81598","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81626","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81631","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81651","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81639","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81632","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.8167","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81674","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81697","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81706","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81711","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0159","scoring_system":"epss","scoring_elements":"0.81568","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17193"},{"reference_url":"https://github.com/advisories/GHSA-4qq9-rrq6-48ff","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qq9-rrq6-48ff"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5442","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5442"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17193","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17193"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17193","reference_id":"CVE-2018-17193","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17193"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17193","GHSA-4qq9-rrq6-48ff"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mt2-4tn4-5bcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52510?format=json","vulnerability_id":"VCID-bppj-knks-jybe","summary":"Improper Restriction of XML External Entity Reference in Apache NiFi\nIn Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76542","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76473","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76509","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76513","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76501","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76535","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76541","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76554","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.7641","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76413","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76441","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76423","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76455","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76469","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76495","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13940"},{"reference_url":"https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798"},{"reference_url":"https://nifi.apache.org/security#CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security#CVE-2020-13940"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13940","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13940"},{"reference_url":"https://github.com/advisories/GHSA-q4xf-3pmq-3hw8","reference_id":"GHSA-q4xf-3pmq-3hw8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4xf-3pmq-3hw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80226?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/215703?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.12.0"}],"aliases":["CVE-2020-13940","GHSA-q4xf-3pmq-3hw8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bppj-knks-jybe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14007?format=json","vulnerability_id":"VCID-bpqd-tx8f-kycf","summary":"Improper Restriction of XML External Entity Reference\nMultiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - `EvaluateXPath` - `EvaluateXQuery` - `ValidateXml` Apache NiFi flow configurations that include these Processors is vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29265","reference_id":"","reference_type":"","scores":[{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84221","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84146","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84141","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84136","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84159","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.8416","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84164","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84189","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84196","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84201","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84081","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84098","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.841","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84123","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0212","scoring_system":"epss","scoring_elements":"0.84129","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29265"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2022-29265","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2022-29265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29265","reference_id":"CVE-2022-29265","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29265"},{"reference_url":"https://github.com/advisories/GHSA-wc97-7623-rxwx","reference_id":"GHSA-wc97-7623-rxwx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wc97-7623-rxwx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50091?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.16.1"}],"aliases":["CVE-2022-29265","GHSA-wc97-7623-rxwx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bpqd-tx8f-kycf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16397?format=json","vulnerability_id":"VCID-g74u-zmqj-gyb7","summary":"XML External Entity Reference in Apache NiFi\nThe ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22832","reference_id":"","reference_type":"","scores":[{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83798","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83926","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83904","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83899","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83892","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83797","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83822","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83866","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83867","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83833","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83837","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83783","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83844","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02041","scoring_system":"epss","scoring_elements":"0.83828","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22832"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8"},{"reference_url":"https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T16:28:56Z/"}],"url":"https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-22832","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T16:28:56Z/"}],"url":"https://nifi.apache.org/security.html#CVE-2023-22832"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22832","reference_id":"CVE-2023-22832","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22832"},{"reference_url":"https://github.com/advisories/GHSA-hxjp-q6c3-38fx","reference_id":"GHSA-hxjp-q6c3-38fx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxjp-q6c3-38fx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/355490?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.20.0"}],"aliases":["CVE-2023-22832","GHSA-hxjp-q6c3-38fx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g74u-zmqj-gyb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52447?format=json","vulnerability_id":"VCID-gqjq-sbf1-x7ew","summary":"Cross-site scripting in Apache NiFi\nA XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65377","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.6534","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65376","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65387","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65371","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65388","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65401","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65398","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65259","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65309","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65334","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65298","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.6535","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65362","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65381","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65368","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1933"},{"reference_url":"https://github.com/apache/nifi/pull/3991","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/3991"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2020-1933"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1933","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1933"},{"reference_url":"https://github.com/advisories/GHSA-pqhq-xx62-2v2p","reference_id":"GHSA-pqhq-xx62-2v2p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqhq-xx62-2v2p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80194?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.11.0"}],"aliases":["CVE-2020-1933","GHSA-pqhq-xx62-2v2p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gqjq-sbf1-x7ew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19954?format=json","vulnerability_id":"VCID-hy35-v2p5-2ycq","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nApache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary\nJavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49145","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52552","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52507","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52565","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52602","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52641","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52656","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52649","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52545","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52578","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.5261","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52625","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52642","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52591","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52597","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49145"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f"},{"reference_url":"https://github.com/apache/nifi/pull/8060","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/pull/8060"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-12403","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-12403"},{"reference_url":"https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-49145","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2023-49145"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/27/5","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/27/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49145","reference_id":"CVE-2023-49145","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49145"},{"reference_url":"https://github.com/advisories/GHSA-68pr-6fjc-wmgm","reference_id":"GHSA-68pr-6fjc-wmgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68pr-6fjc-wmgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61314?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.24.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.24.0"}],"aliases":["CVE-2023-49145","GHSA-68pr-6fjc-wmgm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hy35-v2p5-2ycq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9053?format=json","vulnerability_id":"VCID-j263-1hyr-t7hn","summary":"Deserialization of Untrusted Data\nApache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1310","reference_id":"","reference_type":"","scores":[{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83053","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82952","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82991","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.8299","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82994","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83016","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.83024","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.8303","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82888","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82905","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82917","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82913","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82939","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82946","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82961","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0184","scoring_system":"epss","scoring_elements":"0.82956","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1310"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-1310","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-1310"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1310","reference_id":"CVE-2018-1310","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1310"},{"reference_url":"https://github.com/advisories/GHSA-p76j-5v6v-6c22","reference_id":"GHSA-p76j-5v6v-6c22","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p76j-5v6v-6c22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27859?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.6.0"}],"aliases":["CVE-2018-1310","GHSA-p76j-5v6v-6c22"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j263-1hyr-t7hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8714?format=json","vulnerability_id":"VCID-k1bm-1u7b-vybp","summary":"Improper Input Validation\nA malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12632","reference_id":"","reference_type":"","scores":[{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67267","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67235","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67282","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67262","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67292","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67294","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67162","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.672","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67224","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67251","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67265","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67284","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.6727","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12632"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-12632","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-12632"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12632","reference_id":"CVE-2017-12632","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12632"},{"reference_url":"https://github.com/advisories/GHSA-w4x6-j349-9r57","reference_id":"GHSA-w4x6-j349-9r57","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w4x6-j349-9r57"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-12632","GHSA-w4x6-j349-9r57"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k1bm-1u7b-vybp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4824?format=json","vulnerability_id":"VCID-rj21-6d19-gqbe","summary":"The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17192","reference_id":"","reference_type":"","scores":[{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74104","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73978","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74012","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74026","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74049","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.7403","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74023","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74062","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74071","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74063","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74096","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73974","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.73981","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00798","scoring_system":"epss","scoring_elements":"0.74007","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17192"},{"reference_url":"https://github.com/advisories/GHSA-2xpp-75vr-22vq","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xpp-75vr-22vq"},{"reference_url":"https://github.com/apache/nifi/commit/dbf259508c2b8e176d8cb837177aaadbf44f0670","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/dbf259508c2b8e176d8cb837177aaadbf44f0670"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-5258","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-5258"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2018-17192","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2018-17192"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17192","reference_id":"CVE-2018-17192","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17192"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34100?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/34094?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0"}],"aliases":["CVE-2018-17192","GHSA-2xpp-75vr-22vq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rj21-6d19-gqbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8716?format=json","vulnerability_id":"VCID-rjau-hbsn-u3ah","summary":"Improper Input Validation\nA malicious `X-ProxyContextPath` or `X-Forwarded-Context` header containing external resources or embedded code could cause remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15697","reference_id":"","reference_type":"","scores":[{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85276","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85231","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85232","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85254","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85263","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85261","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85141","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85153","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85171","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85172","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85194","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85202","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85216","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.85214","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02452","scoring_system":"epss","scoring_elements":"0.8521","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15697"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-15697","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-15697"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15697","reference_id":"CVE-2017-15697","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15697"},{"reference_url":"https://github.com/advisories/GHSA-29ph-fjf3-c5cm","reference_id":"GHSA-29ph-fjf3-c5cm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29ph-fjf3-c5cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-15697","GHSA-29ph-fjf3-c5cm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rjau-hbsn-u3ah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11880?format=json","vulnerability_id":"VCID-rn4r-36ab-sfey","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nIn the TransformXML processor of Apache NiFi an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44145","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54524","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54595","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54632","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54634","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54612","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54582","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54599","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54577","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54509","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54581","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54605","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54574","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54625","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.5462","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54633","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54616","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44145"},{"reference_url":"https://nifi.apache.org/security.html#1.15.1-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#1.15.1-vulnerabilities"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/17/1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/17/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44145","reference_id":"CVE-2021-44145","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44145"},{"reference_url":"https://github.com/advisories/GHSA-rq96-qhc5-vm4r","reference_id":"GHSA-rq96-qhc5-vm4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq96-qhc5-vm4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42521?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-dmw5-6pw6-j3d6"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.15.1"}],"aliases":["CVE-2021-44145","GHSA-rq96-qhc5-vm4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rn4r-36ab-sfey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18547?format=json","vulnerability_id":"VCID-rv8f-q4a4-xqbk","summary":"Apache NiFi Code Injection vulnerability\nApache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36542","reference_id":"","reference_type":"","scores":[{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76429","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76519","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76419","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76515","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76479","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76501","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76475","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76461","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76448","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0096","scoring_system":"epss","scoring_elements":"0.76507","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78703","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78678","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78686","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01165","scoring_system":"epss","scoring_elements":"0.78723","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36542"},{"reference_url":"http://seclists.org/fulldisclosure/2023/Jul/43","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"reference_url":"https://github.com/apache/nifi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi"},{"reference_url":"https://github.com/apache/nifi/commit/532578799c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/532578799c"},{"reference_url":"https://issues.apache.org/jira/browse/NIFI-11744","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/NIFI-11744"},{"reference_url":"https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2023-36542","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"https://nifi.apache.org/security.html#CVE-2023-36542"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/07/29/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/07/29/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36542","reference_id":"CVE-2023-36542","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36542"},{"reference_url":"https://github.com/advisories/GHSA-r969-8v3h-23v9","reference_id":"GHSA-r969-8v3h-23v9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r969-8v3h-23v9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59199?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-ues1-6z47-q7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.23.0"}],"aliases":["CVE-2023-36542","GHSA-r969-8v3h-23v9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rv8f-q4a4-xqbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8729?format=json","vulnerability_id":"VCID-w18h-3c8s-s3eq","summary":"Deserialization of Untrusted Data\nAny authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15703","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.28993","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29316","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29203","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29138","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29543","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2961","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29659","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2948","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29581","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29584","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29538","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29485","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29504","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29477","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29431","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15703"},{"reference_url":"https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-15703","reference_id":"","reference_type":"","scores":[],"url":"https://nifi.apache.org/security.html#CVE-2017-15703"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15703","reference_id":"CVE-2017-15703","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15703"},{"reference_url":"https://github.com/advisories/GHSA-xwx6-vmj4-5rv8","reference_id":"GHSA-xwx6-vmj4-5rv8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xwx6-vmj4-5rv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26296?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.5.0"}],"aliases":["CVE-2017-15703","GHSA-xwx6-vmj4-5rv8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w18h-3c8s-s3eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50587?format=json","vulnerability_id":"VCID-yrgr-3cv3-b3ff","summary":"Apache NiFi process group information disclosure\nWhen updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10083","reference_id":"","reference_type":"","scores":[{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78903","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.7882","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.7881","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78839","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78836","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78834","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78862","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78869","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78886","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.7876","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78767","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78798","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.7878","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78806","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78814","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01188","scoring_system":"epss","scoring_elements":"0.78837","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10083"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2019-10083","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2019-10083"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10083","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10083"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-26p8-xrj2-mv53","reference_id":"GHSA-26p8-xrj2-mv53","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26p8-xrj2-mv53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78830?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4uja-72yx-6qdc"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-ec58-s3nd-7yaz"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-xhjy-xmhq-abh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.10.0"}],"aliases":["CVE-2019-10083","GHSA-26p8-xrj2-mv53"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yrgr-3cv3-b3ff"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8347?format=json","vulnerability_id":"VCID-3rp1-pc25-euhm","summary":"Improper Restriction of XML External Entity Reference\nAn authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12623","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53189","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53265","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53303","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53309","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53289","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5326","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53271","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53232","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53181","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53205","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5323","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53197","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5325","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53245","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53296","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53282","published_at":"2026-04-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12623"},{"reference_url":"https://nifi.apache.org/security.html#CVE-2017-12623","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nifi.apache.org/security.html#CVE-2017-12623"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi:1.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12623","reference_id":"CVE-2017-12623","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12623"},{"reference_url":"https://github.com/advisories/GHSA-qj7f-j6h9-g5rq","reference_id":"GHSA-qj7f-j6h9-g5rq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qj7f-j6h9-g5rq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25020?format=json","purl":"pkg:maven/org.apache.nifi/nifi@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dsr-hras-zudk"},{"vulnerability":"VCID-2ema-4jrp-3kfr"},{"vulnerability":"VCID-3eka-p4cs-f3dz"},{"vulnerability":"VCID-4v3d-ugqf-uyag"},{"vulnerability":"VCID-6mt2-4tn4-5bcb"},{"vulnerability":"VCID-bppj-knks-jybe"},{"vulnerability":"VCID-bpqd-tx8f-kycf"},{"vulnerability":"VCID-g74u-zmqj-gyb7"},{"vulnerability":"VCID-gqjq-sbf1-x7ew"},{"vulnerability":"VCID-hy35-v2p5-2ycq"},{"vulnerability":"VCID-j263-1hyr-t7hn"},{"vulnerability":"VCID-k1bm-1u7b-vybp"},{"vulnerability":"VCID-rj21-6d19-gqbe"},{"vulnerability":"VCID-rjau-hbsn-u3ah"},{"vulnerability":"VCID-rn4r-36ab-sfey"},{"vulnerability":"VCID-rv8f-q4a4-xqbk"},{"vulnerability":"VCID-w18h-3c8s-s3eq"},{"vulnerability":"VCID-yrgr-3cv3-b3ff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.4.0"}],"aliases":["CVE-2017-12623","GHSA-qj7f-j6h9-g5rq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3rp1-pc25-euhm"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.4.0"}