Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.nifi/nifi@1.1.0

Type maven

Namespace org.apache.nifi

Name nifi

Version 1.1.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.5.0

Latest_non_vulnerable_version 1.24.0

Affected_by_vulnerabilities

url VCID-5yn9-8juq-mkd9

vulnerability_id VCID-5yn9-8juq-mkd9

summary

Cross-site Scripting
There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

references

reference_url	http://www.securityfocus.com/bid/99009
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99009

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-7665
reference_id	CVE-2017-7665
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-7665

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e3tg-8rmu-9ucb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7665

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yn9-8juq-mkd9

url VCID-8ybn-5kck-d7fz

vulnerability_id VCID-8ybn-5kck-d7fz

summary

Cross-site Scripting
In Apache NiFi, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

references

reference_url	https://nifi.apache.org/security.html#CVE-2016-8748
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2016-8748

reference_url	http://www.securityfocus.com/bid/95621
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/95621

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-8748
reference_id	CVE-2016-8748
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-8748

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.1.1

purl pkg:maven/org.apache.nifi/nifi@1.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-m99c-5n4v-w7ec

vulnerability	VCID-r6wb-vjgp-tubn

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.1

aliases CVE-2016-8748

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ybn-5kck-d7fz

url VCID-e3tg-8rmu-9ucb

vulnerability_id VCID-e3tg-8rmu-9ucb

summary

Improper Restriction of XML External Entity Reference
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-12623
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-12623

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-12623
reference_id	CVE-2017-12623
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-12623

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.4.0

purl pkg:maven/org.apache.nifi/nifi@1.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ps4-jf7z-nqf1

vulnerability	VCID-cqqh-wp8z-jua2

vulnerability	VCID-jnfq-u9wb-k7dq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.4.0

aliases CVE-2017-12623

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e3tg-8rmu-9ucb

url VCID-m99c-5n4v-w7ec

vulnerability_id VCID-m99c-5n4v-w7ec

summary

Injection Vulnerability
The proxy chain `serialization/deserialization` is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-5636
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-5636

reference_url	http://www.securityfocus.com/bid/96731
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/96731

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-5636
reference_id	CVE-2017-5636
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-5636

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.1.2

purl pkg:maven/org.apache.nifi/nifi@1.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5yn9-8juq-mkd9

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-ty4z-t2su-muc6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.2

aliases CVE-2017-5636

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m99c-5n4v-w7ec

url VCID-r6wb-vjgp-tubn

vulnerability_id VCID-r6wb-vjgp-tubn

summary

Improper Authentication
If an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

references

reference_url	https://nifi.apache.org/security.html#CVE-2017-5635
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2017-5635

reference_url	http://www.securityfocus.com/bid/96730
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/96730

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-5635
reference_id	CVE-2017-5635
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-5635

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.1.2

purl pkg:maven/org.apache.nifi/nifi@1.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5yn9-8juq-mkd9

vulnerability	VCID-e3tg-8rmu-9ucb

vulnerability	VCID-ty4z-t2su-muc6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.2

aliases CVE-2017-5635

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r6wb-vjgp-tubn

url VCID-ty4z-t2su-muc6

vulnerability_id VCID-ty4z-t2su-muc6

summary

Origin Validation Error
Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

references

reference_url	http://www.securityfocus.com/bid/99018
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99018

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-7667
reference_id	CVE-2017-7667
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-7667

fixed_packages

url pkg:maven/org.apache.nifi/nifi@1.3.0

purl pkg:maven/org.apache.nifi/nifi@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e3tg-8rmu-9ucb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.3.0

aliases CVE-2017-7667

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ty4z-t2su-muc6

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.1.0

Package Instance