org.apache.nifi:nifi (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.nifi:nifi, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (21)
CVE-2017-15697 — CVSS 9.8 (critical): A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code…
CVE-2017-5636 — CVSS 9.8 (critical): In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to…
CVE-2022-33140 — CVSS 8.8 (high): The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments…
CVE-2017-5635 — CVSS 7.5 (high): In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the…
CVE-2017-7667 — CVSS 7.5 (high): Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same…
CVE-2018-1310 — CVSS 7.5 (high): Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See…
CVE-2017-12632 — CVSS 7.5 (high): A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host…
CVE-2020-9487 — CVSS 7.5 (high): In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a…
CVE-2020-9491 — CVSS 7.5 (high): In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by…
CVE-2018-17195 — CVSS 7.5 (high): The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle…
CVE-2022-29265 — CVSS 7.5 (high): Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The…
CVE-2021-44145 — CVSS 6.5 (medium): In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included…
CVE-2019-10080 — CVSS 6.5 (medium): The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file…
CVE-2018-17192 — CVSS 6.5 (medium): The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some…
CVE-2017-12623 — CVSS 6.5 (medium): An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE)…
CVE-2018-17193 — CVSS 6.1 (medium): The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected…
CVE-2017-7665 — CVSS 6.1 (medium): In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms…
CVE-2020-1933 — CVSS 6.1 (medium): A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware…
CVE-2020-13940 — CVSS 5.5 (medium): In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed…
CVE-2016-8748 — CVSS 5.4 (medium): In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when…
CVE-2019-10083 — CVSS 5.3 (medium): When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the…