Org.apache.nifi:nifi

This hub aggregates every CVE we track for Org.apache.nifi:nifi, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Org.apache.nifi:nifi.

• CVE-2022-33140Improper Neutralization of Command Elements in Shell User Group Provider8.8Jun 15, 2022
• CVE-2022-29265Improper Restriction of XML External Entity References in Multiple Components7.5Apr 30, 2022
• CVE-2021-44145Apache NiFi information disclosure by XXE6.5Dec 17, 2021
• CVE-2020-9491In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However...7.5Oct 1, 2020
• CVE-2020-13940In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentiall...5.5Oct 1, 2020
• CVE-2020-9487In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to ...7.5Oct 1, 2020
• CVE-2020-1933A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in ot...6.1Jan 28, 2020
• CVE-2019-10083When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included d...5.3Nov 19, 2019
• CVE-2019-10080The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to se...6.5Nov 19, 2019
• CVE-2018-17195The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attac...7.5Dec 19, 2018
• CVE-2018-17193The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sa...6.1Dec 19, 2018
• CVE-2018-17192The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing...6.5Dec 19, 2018
• CVE-2018-1310Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. Th...7.5May 23, 2018
• CVE-2017-15697A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied o...9.8Jan 23, 2018
• CVE-2017-12632A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on...7.5Jan 23, 2018