Apache

Nifi

50 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 3.96%
  • Veröffentlicht 28.01.2020 01:15:12
  • Zuletzt bearbeitet 21.11.2024 05:11:37

An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.

  • EPSS 1.85%
  • Veröffentlicht 19.11.2019 22:15:11
  • Zuletzt bearbeitet 21.11.2024 04:22:48

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to...

  • EPSS 2.75%
  • Veröffentlicht 19.11.2019 22:15:11
  • Zuletzt bearbeitet 21.11.2024 04:18:21

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which...

  • EPSS 2.26%
  • Veröffentlicht 19.11.2019 22:15:11
  • Zuletzt bearbeitet 21.11.2024 04:18:21

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the v...

  • EPSS 28.84%
  • Veröffentlicht 20.08.2019 21:15:12
  • Zuletzt bearbeitet 21.11.2024 04:18:22

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by defa...

  • EPSS 2.97%
  • Veröffentlicht 19.12.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:03

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, th...

  • EPSS 2.68%
  • Veröffentlicht 19.12.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:03

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consist...

  • EPSS 2.76%
  • Veröffentlicht 19.12.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:03

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the...

  • EPSS 0.71%
  • Veröffentlicht 19.12.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:04

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client...

  • EPSS 3.18%
  • Veröffentlicht 23.05.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:59:35

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15....