CVE-2022-26850
- EPSS 1.44%
- Veröffentlicht 06.04.2022 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:54:38
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global r...
CVE-2021-44145
- EPSS 1.7%
- Veröffentlicht 17.12.2021 09:15:07
- Zuletzt bearbeitet 21.11.2024 06:30:26
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
CVE-2020-27223
- EPSS 77.95%
- Veröffentlicht 26.02.2021 22:15:19
- Zuletzt bearbeitet 20.08.2025 10:15:27
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) ...
CVE-2021-20190
- EPSS 7.48%
- Veröffentlicht 19.01.2021 17:15:13
- Zuletzt bearbeitet 27.08.2025 21:15:36
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-9491
- EPSS 2.87%
- Veröffentlicht 01.10.2020 20:15:14
- Zuletzt bearbeitet 21.11.2024 05:40:45
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request r...
CVE-2020-9487
- EPSS 3.05%
- Veröffentlicht 01.10.2020 20:15:14
- Zuletzt bearbeitet 21.11.2024 05:40:44
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticat...
CVE-2020-9486
- EPSS 3.56%
- Veröffentlicht 01.10.2020 20:15:14
- Zuletzt bearbeitet 21.11.2024 05:40:44
In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values ...
CVE-2020-13940
- EPSS 1.91%
- Veröffentlicht 01.10.2020 20:15:13
- Zuletzt bearbeitet 21.11.2024 05:02:11
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to...
CVE-2020-1942
- EPSS 3.12%
- Veröffentlicht 11.02.2020 21:15:11
- Zuletzt bearbeitet 21.11.2024 05:11:40
In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerpri...
CVE-2020-1933
- EPSS 2.81%
- Veröffentlicht 28.01.2020 01:15:12
- Zuletzt bearbeitet 21.11.2024 05:11:38
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.