Search for packages
| purl | pkg:maven/org.apache.nifi/nifi@1.10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17fs-znxa-aaad
Aliases: CVE-2020-9491 GHSA-rfmp-jvr7-hx78 |
Inadequate Encryption Strength in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-1azx-u7h7-aaar
Aliases: CVE-2020-1933 GHSA-pqhq-xx62-2v2p |
Cross-site scripting in Apache NiFi |
Affected by 14 other vulnerabilities. |
|
VCID-3sj4-ck2n-aaac
Aliases: CVE-2021-20190 GHSA-5949-rw7g-wx7w |
Deserialization of untrusted data in jackson-databind |
Affected by 9 other vulnerabilities. |
|
VCID-3uyk-aqyg-aaas
Aliases: CVE-2023-34212 GHSA-65wh-g8x8-gm2h |
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-6st7-u1jz-aaar
Aliases: CVE-2020-1942 GHSA-7q8g-gpfp-v8gx |
Insertion of Sensitive Information into Log File in Apache NiFi |
Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7n22-pdsj-aaae
Aliases: CVE-2023-49145 GHSA-68pr-6fjc-wmgm |
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. |
Affected by 0 other vulnerabilities. |
|
VCID-ask9-ndpt-aaaj
Aliases: CVE-2021-44145 GHSA-rq96-qhc5-vm4r |
Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi |
Affected by 8 other vulnerabilities. |
|
VCID-cv12-baf8-aaap
Aliases: CVE-2020-1928 GHSA-w4fj-ccr6-7pcp |
Insertion of Sensitive Information into Log File in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-e766-ndnv-aaae
Aliases: CVE-2020-13940 GHSA-q4xf-3pmq-3hw8 |
Improper Restriction of XML External Entity Reference in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-f4t5-cj5v-aaam
Aliases: CVE-2023-34468 GHSA-xm2m-2q6h-22jw |
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-fa14-zk62-aaah
Aliases: CVE-2020-9487 GHSA-3pp3-77j6-8ph6 |
Missing Authentication for Critical Function in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-hmz2-kc5j-aaac
Aliases: CVE-2022-29265 GHSA-wc97-7623-rxwx |
Multiple components in Apache NiFi do not restrict XML External Entity references |
Affected by 6 other vulnerabilities. |
|
VCID-n1sh-68hr-aaae
Aliases: CVE-2022-33140 GHSA-77hf-23pq-2g7c |
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments. |
Affected by 5 other vulnerabilities. |
|
VCID-u1n4-8ypj-aaae
Aliases: CVE-2023-22832 GHSA-hxjp-q6c3-38fx |
XML External Entity Reference in Apache NiFi |
Affected by 4 other vulnerabilities. |
|
VCID-ua4c-vbw9-aaaa
Aliases: CVE-2023-36542 GHSA-r969-8v3h-23v9 |
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation. |
Affected by 2 other vulnerabilities. |
|
VCID-xkkm-nwvs-aaar
Aliases: CVE-2020-9486 GHSA-g644-pr5v-vppf |
Insertion of Sensitive Information into Log File in Apache NiFi |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8kr5-8e95-aaab | Apache NiFi information disclosure by XXE |
CVE-2019-10080
GHSA-744r-vv2g-2x6g |
| VCID-8qn7-cthp-aaan | Apache NiFi process group information disclosure |
CVE-2019-10083
GHSA-26p8-xrj2-mv53 |
| VCID-pu1t-jgmd-aaas | Apache NiFi user log out issue |
CVE-2019-12421
GHSA-fmqw-vqh5-cwq9 |