Search for packages
| purl | pkg:maven/org.apache.nifi/nifi@1.1.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17fs-znxa-aaad
Aliases: CVE-2020-9491 GHSA-rfmp-jvr7-hx78 |
Inadequate Encryption Strength in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-1azx-u7h7-aaar
Aliases: CVE-2020-1933 GHSA-pqhq-xx62-2v2p |
Cross-site scripting in Apache NiFi |
Affected by 14 other vulnerabilities. |
|
VCID-3pbb-tajd-aaag
Aliases: CVE-2018-17195 GHSA-3jq8-jg75-rqv6 |
Moderate severity vulnerability that affects org.apache.nifi:nifi |
Affected by 17 other vulnerabilities. |
|
VCID-41xz-swbp-aaaq
Aliases: CVE-2018-1310 GHSA-p76j-5v6v-6c22 |
Deserialization of Untrusted Data Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. |
Affected by 19 other vulnerabilities. |
|
VCID-6st7-u1jz-aaar
Aliases: CVE-2020-1942 GHSA-7q8g-gpfp-v8gx |
Insertion of Sensitive Information into Log File in Apache NiFi |
Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-71u6-xnca-aaad
Aliases: CVE-2017-7667 GHSA-jvx9-rj3w-jq99 |
Origin Validation Error Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin. |
Affected by 25 other vulnerabilities. |
|
VCID-7n22-pdsj-aaae
Aliases: CVE-2023-49145 GHSA-68pr-6fjc-wmgm |
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. |
Affected by 0 other vulnerabilities. |
|
VCID-9axh-vpsw-aaag
Aliases: CVE-2017-15697 GHSA-29ph-fjf3-c5cm |
Improper Input Validation A malicious `X-ProxyContextPath` or `X-Forwarded-Context` header containing external resources or embedded code could cause remote code execution. |
Affected by 21 other vulnerabilities. |
|
VCID-ask9-ndpt-aaaj
Aliases: CVE-2021-44145 GHSA-rq96-qhc5-vm4r |
Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi |
Affected by 8 other vulnerabilities. |
|
VCID-c9w7-rcsr-aaar
Aliases: CVE-2017-12632 GHSA-w4x6-j349-9r57 |
Improper Input Validation A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. |
Affected by 21 other vulnerabilities. |
|
VCID-e766-ndnv-aaae
Aliases: CVE-2020-13940 GHSA-q4xf-3pmq-3hw8 |
Improper Restriction of XML External Entity Reference in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-ekeb-ukn3-aaaq
Aliases: CVE-2017-12623 GHSA-qj7f-j6h9-g5rq |
Improper Restriction of XML External Entity Reference An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity. |
Affected by 24 other vulnerabilities. |
|
VCID-f4t5-cj5v-aaam
Aliases: CVE-2023-34468 GHSA-xm2m-2q6h-22jw |
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-fa14-zk62-aaah
Aliases: CVE-2020-9487 GHSA-3pp3-77j6-8ph6 |
Missing Authentication for Critical Function in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-hmz2-kc5j-aaac
Aliases: CVE-2022-29265 GHSA-wc97-7623-rxwx |
Multiple components in Apache NiFi do not restrict XML External Entity references |
Affected by 6 other vulnerabilities. |
|
VCID-jkuw-85d2-aaad
Aliases: CVE-2018-17194 GHSA-43fp-vwwg-qgv6 |
Moderate severity vulnerability that affects org.apache.nifi:nifi |
Affected by 17 other vulnerabilities. |
|
VCID-km42-h6gv-aaas
Aliases: CVE-2017-5636 GHSA-jrcc-7jf5-3pxg |
Injection Vulnerability The proxy chain `serialization/deserialization` is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. |
Affected by 24 other vulnerabilities. |
|
VCID-pu1t-jgmd-aaas
Aliases: CVE-2019-12421 GHSA-fmqw-vqh5-cwq9 |
Apache NiFi user log out issue |
Affected by 16 other vulnerabilities. |
|
VCID-pu9w-h3kv-aaap
Aliases: CVE-2018-17193 GHSA-4qq9-rrq6-48ff |
Moderate severity vulnerability that affects org.apache.nifi:nifi |
Affected by 17 other vulnerabilities. |
|
VCID-q87t-ahgd-aaam
Aliases: CVE-2017-5635 GHSA-jgj9-6v78-6g8m |
Improper Authentication If an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. |
Affected by 24 other vulnerabilities. |
|
VCID-ua4c-vbw9-aaaa
Aliases: CVE-2023-36542 GHSA-r969-8v3h-23v9 |
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation. |
Affected by 2 other vulnerabilities. |
|
VCID-uast-v5ac-aaac
Aliases: CVE-2018-1309 GHSA-42wx-65g4-5cxv |
Improper Restriction of XML External Entity Reference Apache NiFi External XML Entity issue in `SplitXML` processor. Malicious XML content could cause information disclosure or remote code execution. |
Affected by 19 other vulnerabilities. |
|
VCID-vew6-k9mp-aaab
Aliases: CVE-2017-15703 GHSA-xwx6-vmj4-5rv8 |
Denial of service via deserialization attack in nifi |
Affected by 21 other vulnerabilities. |
|
VCID-xkkm-nwvs-aaar
Aliases: CVE-2020-9486 GHSA-g644-pr5v-vppf |
Insertion of Sensitive Information into Log File in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-xxgv-nbrd-aaas
Aliases: CVE-2017-7665 GHSA-m5r7-w9v3-ghmx |
Cross-site Scripting There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. |
Affected by 25 other vulnerabilities. |
|
VCID-zdnv-9xaw-aaas
Aliases: CVE-2018-17192 GHSA-2xpp-75vr-22vq |
Low severity vulnerability that affects org.apache.nifi:nifi |
Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-fn6p-rc11-aaag | Cross-site Scripting In Apache NiFi, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. |
CVE-2016-8748
GHSA-g2fm-x3cp-mqw9 |