Apache NiFi welcomes the responsible reporting of security vulnerabilities. Project Management Committee members will collaborate and respond to potential vulnerabilities, providing an assessment of the concern and a plan of action to remediate verified issues.
Please read the Apache Project Security for Committers policy for general guidelines applicable disclosure of security issues for Apache Software Foundation projects.
Do not perform the following actions after discovering a potential security concern:
Configuring dangerous operating system commands or custom scripts is not a project security vulnerability. Authenticated and authorized users are responsible for the security of operating system commands and custom code.
Apache NiFi provides a framework for developing processing pipelines using standard and custom components. The framework supports configurable permissions that enable authorized users to execute code using several standard components. Components such as ExecuteProcess and ExecuteStreamCommand support running operating system commands, while other scripted components support executing custom code using different programming languages. Configuring these components with untrusted commands or arguments is contrary to best practices, but it does not constitute of security issue for remediation.
CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs
Severity: Moderate
Versions Affected:
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
Credit: This issue was discovered by Matei "Mal" Badanoiu
CVE Link: Mitre Database CVE-2023-40037
NiFi Jira: NIFI-11920
NiFi PR: PR 7586
Released: 2023-08-18
CVE-2023-36542: Potential Code Injection with Properties Referencing Remote Resources
Severity: Moderate
Versions Affected:
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.
Credit: This issue was discovered by nbxiglk
CVE Link: Mitre Database CVE-2023-36542
NiFi Jira: NIFI-11744
NiFi PR: PR 7426
Released: 2023-07-28
CVE-2023-34468: Potential Code Injection with Database Services using H2
Severity: Important
Versions Affected:
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
Mitigation: Upgrading to NiFi 1.22.0 disables H2 JDBC URLs in the default configuration.
Credit: This issue was discovered by Matei "Mal" Badanoiu
CVE Link: Mitre Database CVE-2023-34468
NiFi Jira: NIFI-11653
NiFi PR: PR 7349
Released: 2023-06-12
CVE-2023-34212: Potential Deserialization of Untrusted Data with JNDI in JMS Components
Severity: Important
Versions Affected:
The JndiJmsConnectionFactoryProvider Controller Service along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.
The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.
Mitigation: Upgrading to NiFi 1.22.0 disables LDAP for JNDI URLs in the default configuration.
Credit: This issue was discovered by Veraxy00 of Qianxin TI Center and also reported by Matei "Mal" Badanoiu
CVE Link: Mitre Database CVE-2023-34212
NiFi Jira: NIFI-11614
NiFi PR: PR 7313
Released: 2023-06-12
CVE-2023-22832: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
Severity: Moderate
Versions Affected:
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references.
Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.
The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
Mitigation: Upgrading to NiFi 1.20.0 disables Document Type Declarations in the default configuration for ExtractCCDAAttributes.
Credit: This issue was discovered by Yi Cai of Chaitin Tech
CVE Link: Mitre Database CVE-2023-22832
NiFi Jira: NIFI-11029
NiFi PR: PR 6828
Released: 2023-02-09
CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider
Severity: High
Products Affected:
Versions Affected:
Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms.
The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command.
Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments.
Credit: This issue was discovered by an anonymous reporter
CVE Link: Mitre Database CVE-2022-33140
NiFi Jira: NIFI-10114
NiFi PR: PR 6122
Released: June 15, 2022
CVE-2022-29265: Apache NiFi Improper Restriction of XML External Entity References in Multiple Components
Severity: Moderate
Versions Affected:
Description: Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values:
Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.
Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services.
Credit: This issue was discovered by David Handermann (exceptionfactory.com)
CVE Link: Mitre Database CVE-2022-29265
NiFi Jira: NIFI-9901, NIFI-9943
NiFi PR: PR 5962, PR 5986, PR 5994
Released: April 29, 2022
CVE-2020-36518: Apache NiFi's use of jackson-databind
Severity: Moderate
Versions Affected:
Description: The vulnerable jackson-databind dependency allows a Java stack overflow exception and denial of service via a large depth of nested objects.
Mitigation: We have upgraded the jackson-databind version that NiFi uses from 2.13.2 to 2.13.2.20220328.
CVE Link: Mitre Database CVE-2020-36518
NiFi Jira: NIFI-9952
Released: April 29, 2022
CVE-2022-26850: Apache NiFi insufficiently protected credentials
Severity: Low
Versions Affected:
Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access.
Bcrypt is a password-hashing algorithm that incorporates a random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers.
Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.
Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: JLLeitschuh Github
CVE Link: Mitre Database: CVE-2022-26850
NiFi Jira: NIFI-9785
NiFi PR: PR 5856
Released: March 27, 2022
CVE-2021-42392: Apache NiFi's use of H2 database
Severity: Important
Versions Affected:
Description: Apache NiFi uses H2 database for storing various NiFi runtime details. H2 database had a critical vulnerability similar to Log4Shell which potentially allows JNDI remote codebase loading. In NiFi, by default, console access to the database is restricted to local machine access only and remote access is disabled which limited the severity of this vulnerability. More detailed information on the H2 vulnerability can be found in this blog post.
Mitigation: We have upgraded the H2 version that NiFi uses from 1.4.199 to 2.1.210. The vulnerability is also mitigated with more recent versions of Java (6u211 , 7u201, 8u191, 11.0.1 onwards).
CVE Link: Mitre Database: CVE-2021-42392
NiFi Jira: NIFI-9585
Released: March 27, 2022
CVE-2021-44145: Apache NiFi information disclosure by XXE in TransformXML
Severity: Low
Versions Affected:
Description: In the TransformXML processor, an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
Mitigation: The 'Secure processing' property will now apply to the configured XSLT file as well as flow files being transformed. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by DangKhai at Viettel Cyber Security.
CVE Link: Mitre Database: CVE-2021-44145
NiFi Jira: NIFI-9399
NiFi PR: PR 5542
Released: December 15, 2021
CVE-2021-44228: Apache NiFi's use of log4j
Severity: None
Versions Affected:
Description: For posterity we will note here that Apache NiFi uses SLF4J for logging with Logback as the runtime implementation since the project's inception. One of our PMC members has written an analysis of NiFi's vulnerability (or lack thereof) here: https://exceptionfactory.com/posts/2021/12/14/evaluating-log4shell-and-apache-nifi. For more information on the log4j vulnerability, see NIST NVD CVE-2021-44228.
Mitigation: We have taken measures to ensure that any potential instances of log4j brought in by dependencies are overriden to log4j 2.16.0.
CVE Link: Mitre Database: CVE-2021-44228
NiFi Jira: NIFI-9474
NiFi Jira: NIFI-9482
NiFi PR: PR 5592
NiFi PR: PR 5595
NiFi PR: PR 5598
NiFi PR: PR 5600
Released: December 15, 2021
CVE-2020-27218: Apache NiFi's use of Jetty server
Severity: Low
Versions Affected:
Description: The Jetty server dependency had a HTTP Request Smuggling vulnerability. See NIST NVD CVE-2020-27218 for more information.
Mitigation: Jetty server was upgraded from 9.4.26.v20200117 to 9.4.35.v20201120 for the Apache NiFi 1.13.0 release.
CVE Link: Mitre Database: CVE-2020-27218
NiFi Jira: NIFI-8098
NiFi PR: PR 4731
Released: February 16, 2021
CVE-2021-20190: Apache NiFi's jackson-databind usage
Severity: Low
Versions Affected:
Description: The com.fasterxml.jackson.core:jackson-databind dependency had various serialization vulnerabilities. See NIST NVD CVE-2021-20190 for more information.
Mitigation: jackson-databind was upgraded from 2.9.10.5 to 2.9.10.8 for the Apache NiFi 1.13.0 release.
CVE Link: Mitre Database: CVE-2021-20190
NiFi Jira: NIFI-8166
NiFi PR: PR 4777
Released: February 16, 2021
CVE-2020-9486: Apache NiFi information disclosure in logs
Severity: Important
Versions Affected:
Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by Andy LoPresto and Pierre Villard.
CVE Link: Mitre Database: CVE-2020-9486
NiFi Jira: NIFI-7377
NiFi PR: PR 4222
Released: August 18, 2020
CVE-2020-9487: Apache NiFi denial of service
Severity: Important
Versions Affected:
Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Mitigation: Disabled anonymous authentication, implemented a multi-indexed cache, and limited token creation requests to one concurrent request per user. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by Dennis Detering (IT Security Consultant at Spike Reply).
CVE Link: Mitre Database: CVE-2020-9487
NiFi Jira: NIFI-7385
NiFi PR: PR 4271
Released: August 18, 2020
CVE-2020-9491: Apache NiFi use of weak TLS protocols
Severity: Critical
Versions Affected:
Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
Mitigation: Refactored disparate internal SSL and TLS code, reducing exposure for extension and framework developers to low-level primitives. Added support for TLS v1.3 on supporting JVMs. Restricted all incoming TLS communications to TLS v1.2+. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by Juan Carlos Sequeiros and Andy LoPresto.
CVE Link: Mitre Database: CVE-2020-9491
NiFi Jira: NIFI-7407
NiFi PR: PR 4263
Released: August 18, 2020
CVE-2020-13940: Apache NiFi information disclosure by XXE
Severity: Low
Versions Affected:
Description: The notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
Mitigation: An XML validator was introduced to prevent malicious code from being parsed and executed. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by Matt Burgess and Andy LoPresto.
CVE Link: Mitre Database: CVE-2020-13940
NiFi Jira: NIFI-7680
NiFi PR: PR 4436
Released: August 18, 2020
CVE-2019-9658: Apache NiFi's checkstyle usage
Severity: Low
Versions Affected:
Description: The com.puppycrawl.tools:checkstyle dependency had a XXE vulnerability. See NIST NVD CVE-2019-9658 for more information.
Mitigation: checkstyle was upgraded from 8.28 to 8.29 for the Apache NiFi 1.12.0 release.
CVE Link: Mitre Database: CVE-2019-9658
NiFi Jira: NIFI-7108
NiFi PR: PR 4041
Released: August 18, 2020
CVE-2019-12086: Apache NiFi's jackson-databind usage
Severity: Low
Versions Affected:
Description: The com.fasterxml.jackson.core:jackson-databind dependency had a polymorphic typing vulnerability which exposed some MySQL server access to an attacker. See NIST NVD CVE-2019-12086 for more information.
Mitigation: jackson-databind was upgraded from 2.9.10.1 to 2.9.10.5 for the Apache NiFi 1.12.0 release.
CVE Link: Mitre Database: CVE-2019-12086
NiFi Jira: NIFI-7542
NiFi PR: PR 4362
Released: August 18, 2020
CVE-2020-7676: Apache NiFi's angular.js usage
Severity: Low
Versions Affected:
Description: The angular.js dependency had an XSS vulnerability. See NIST NVD CVE-2020-7676-9658 for more information.
Mitigation: angular.js was upgraded from 1.7.9 to 1.8.0 for the Apache NiFi 1.12.0 release.
CVE Link: Mitre Database: CVE-2020-7676
NiFi Jira: NIFI-7577
NiFi PR: PR 4357
Released: August 18, 2020
CVE-2020-11023: Apache NiFi's jquery usage
Severity: Low
Versions Affected:
Description: The jquery dependency had an XSS vulnerability. See NIST NVD CVE-2020-11023 for more information.
Mitigation: jquery was upgraded from 3.4.1 to 3.5.1 for the Apache NiFi 1.12.0 release.
CVE Link: Mitre Database: CVE-2020-11023
NiFi Jira: NIFI-7423
NiFi PR: PR 4258
Released: August 18, 2020
CVE-2020-5398: Apache NiFi's spring-data-redis usage
Severity: Moderate
Versions Affected:
Description: The org.springframework.data:spring-data-redis dependency in the nifi-redis-bundle had a vulnerable transitive dependency. See NIST NVD CVE-2020-5398 for more information.
Mitigation: spring-data-redis was upgraded from 2.1.0.RELEASE to 2.1.16.RELEASE for the Apache NiFi 1.11.4 release. It is unlikely that NiFi's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 1.x release to upgrade to the 1.11.4 release.
CVE Link: Mitre Database: CVE-2020-5398
NiFi Jira: NIFI-7267
NiFi PR: PR 4150
Released: March 22, 2020
CVE-2020-1942: Apache NiFi information disclosure in logs
Severity: Important
Versions Affected:
Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.
Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release.
Credit: This issue was discovered by Andy LoPresto.
CVE Link: Mitre Database: CVE-2020-1942
NiFi Jira: NIFI-7079
NiFi PR: PR 4208
Released: February 4, 2020
CVE-2020-1928: Apache NiFi information disclosure in logs
Severity: Moderate
Versions Affected:
Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release.
Credit: This issue was discovered by Andy LoPresto.
CVE Link: Mitre Database: CVE-2020-1928
NiFi Jira: NIFI-6948
NiFi PR: PR 3935
Released: January 22, 2020
CVE-2020-1933: Apache NiFi XSS attack
Severity: Important
Versions Affected:
Description: Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
Mitigation: Sanitization of the error response ensures the XSS would not be executed. Users running a prior 1.x release should upgrade to the latest release.
Credit: This issue was discovered by Jakub Palaczynski (ING Tech Poland).
CVE Link: Mitre Database: CVE-2020-1933
NiFi Jira: NIFI-7023
NiFi PR: PR 3991
Released: January 22, 2020
CVE-2019-10768: Apache NiFi's AngularJS usage
Severity: Important
Versions Affected:
Description: An Object.prototype pollution vulnerability existed within the AngularJS dependency used by NiFi. See NIST NVD CVE-2019-10768 for more information.
Mitigation: AngularJS was upgraded from 1.7.2 to 1.7.9 for the Apache NiFi 1.11.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Pierre Villard.
CVE Link: Mitre Database: CVE-2019-10768
NiFi Jira: NIFI-6893
NiFi PR: PR 3899
Released: January 22, 2020
CVE-2019-10080: Apache NiFi information disclosure by XXE
Severity: Low
Versions Affected:
Description: The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
Mitigation: A validator to ensure the XML file is not malicious was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by RunningSnail.
CVE Link: Mitre Database: CVE-2019-10080
NiFi Jira: NIFI-6301
NiFi PR: PR 3507
Released: November 4, 2019
CVE-2019-12421: Apache NiFi user log out issue
Severity: Moderate
Versions Affected:
Description: If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Abdu Sahin.
CVE Link: Mitre Database: CVE-2019-12421
NiFi Jira: NIFI-6085
NiFi PR: PR 3362
Released: November 4, 2019
CVE-2019-10083: Apache NiFi process group information disclosure
Severity: Low
Versions Affected:
Description: When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
Mitigation: Requests to update or remove the process group will no longer return the contents of the process group in the response in Apache NiFi 1.10.0. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mark Payne.
CVE Link: Mitre Database: CVE-2019-100833
NiFi Jira: NIFI-6302
Released: November 4, 2019
CVE-2017-5637, CVE-2016-5017, CVE-2018-8012: Apache NiFi's Zookeeper usage
Severity: Important
Versions Affected:
Description: Various vulnerabilities existed within the Zookeeper dependency used by NiFi. See NIST NVD CVE-2018-8012, NIST NVD CVE-2017-5637, NIST NVD CVE-2016-5017 for more information.
Mitigation: The fix to upgrade the Zookeeper dependency from 3.4.6 to 3.5.5 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Nathan Gough.
CVE Link: Mitre Database: CVE-2018-8012, Mitre Database: CVE-2017-5637, Mitre Database: CVE-2016-5017
NiFi Jira: NIFI-6578
NiFi PR: PR 3715
Released: November 4, 2019
CVE-2019-0193, CVE-2019-0192, CVE-2017-3164: Apache NiFi's Solr usage
Severity: Critical
Versions Affected:
Description: Various vulnerabilities existed within the Solr dependency used by NiFi. See NIST NVD CVE-2019-0193, NIST NVD CVE-2019-0192, NIST NVD CVE-2017-3164 for more information.
Mitigation: The fix to upgrade the Solr dependency from 6.2.0 to 6.6.6 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Nathan Gough.
CVE Link: Mitre Database: CVE-2019-0193, Mitre Database: CVE-2019-0192, Mitre Database: CVE-2017-3164
NiFi Jira: NIFI-6516
NiFi PR: PR 3629
Released: November 4, 2019
CVE-2019-16335, CVE-2019-14540, CVE-2019-14439, CVE-2019-12814, CVE-2019-12384, CVE-2019-12086, CVE-2018-1000873, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360: Apache NiFi's Jackson Core Databind usage
Severity: Medium
Versions Affected:
Description: Various vulnerabilities existed within the Jackson Core: Databind dependency used by NiFi. See NIST NVD CVE-2019-16335, NIST NVD CVE-2019-14540, NIST NVD CVE-2019-14439, NIST NVD CVE-2019-12814, NIST NVD CVE-2019-12384, NIST NVD CVE-2019-12086, NIST NVD CVE-2018-1000873, NIST NVD CVE-2018-19362, NIST NVD CVE-2018-19361, NIST NVD CVE-2018-19360 for more information.
Mitigation: The fix to upgrade the jackson-databind dependency from 2.9.7 to 2.9.10 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Pierre Villard and Nathan Gough.
CVE Link: Mitre Database: CVE-2019-16335, Mitre Database: CVE-2019-14540, Mitre Database: CVE-2019-14439, Mitre Database: CVE-2019-12814, Mitre Database: CVE-2019-12384, Mitre Database: CVE-2019-12086, Mitre Database: CVE-2018-1000873, Mitre Database: CVE-2018-19362, Mitre Database: CVE-2018-19361, Mitre Database: CVE-2018-19360
NiFi Jira: NIFI-6709
NiFi PR: PR 3765
Released: November 4, 2019
CVE-2019-10247, CVE-2019-10246: Apache NiFi's Jetty usage
Severity: Medium
Versions Affected:
Description: Various vulnerabilities existed within the Jetty dependency used by NiFi. See NIST NVD CVE-2019-10247, NIST NVD CVE-2019-10246 for more information.
Mitigation: The fix to upgrade the Jetty dependency from 9.4.11.v20180605 to 9.4.19.v20190610 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Jeff Storck and Nathan Gough.
CVE Link: Mitre Database: CVE-2019-10247, Mitre Database: CVE-2019-10246
NiFi Jira: NIFI-6330
NiFi PR: PR 3534
Released: November 4, 2019
CVE-2019-11358: Apache NiFi's JQuery usage
Severity: Medium
Versions Affected:
Description: Various vulnerabilities existed within the JQuery dependency used by NiFi. See NIST NVD CVE-2019-11358 for more information.
Mitigation: The fix to upgrade the JQuery dependency from 3.1.1 to 3.4.1 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was identified by Matt Gilman and Rob Fellows.
CVE Link: Mitre Database: CVE-2019-11358
NiFi Jira: NIFI-6316
NiFi PR: PR 3489
Released: November 4, 2019
CVE-2018-17192: Apache NiFi clickjacking vulnerability
Severity: Low
Versions Affected:
Description: The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.
Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Suchithra V N.
CVE Link: Mitre Database: CVE-2018-17192
NiFi Jira: NIFI-5258
NiFi PR: PR 2759, PR 2791, PR 2812
Released: October 26, 2018
CVE-2018-17193: Apache NiFi reflected XSS attack in X-ProxyContextPath
Severity: Moderate
Versions Affected:
Description: The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack.
Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Dan Fike. Additional assistance from Patrick White.
CVE Link: Mitre Database: CVE-2018-17193
NiFi Jira: NIFI-5442
NiFi PR: PR 2908
Released: October 26, 2018
CVE-2018-17194: Apache NiFi Denial of service via DELETE cluster request replication
Severity: Moderate
Versions Affected:
Description: When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout.
Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mike Cole and Andy LoPresto.
CVE Link: Mitre Database: CVE-2018-17194
NiFi Jira: NIFI-5628
NiFi PR: PR 3035
Released: October 26, 2018
CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API
Severity: Critical
Versions Affected:
Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Critical severity level.
Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mike Cole.
CVE Link: Mitre Database: CVE-2018-17195
NiFi Jira: NIFI-5595
NiFi PR: PR 3024
Released: October 26, 2018
CVE-2014-0193: Apache NiFi Denial of service because of netty vulnerability
Severity: Low
Versions Affected:
Description: A vulnerability in the netty library could cause denial of service. See NIST NVD CVE-2014-0193 or netty release announcement for more information.
Mitigation: The fix to upgrade the netty library to 3.7.1.Final was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Nathan Gough.
CVE Link: Mitre Database: CVE-2014-0193
NiFi Jira: NIFI-5665
NiFi PR: PR 3067
Released: October 26, 2018
NIFI-2018-006: Apache NiFi Suppression of stack trace when malicious XSS query is submitted
Severity: Informational
Versions Affected:
Description: A reporter submitted a (false positive) claim of a reflected XSS attack. See the CVE-2016-8748 announcement for more information. While the XSS attack was not valid, the resulting stack trace contained unnecessary information.
Mitigation: The fix to suppress the stacktrace was applied on the Apache NiFi 1.7.1 and 1.8.0 releases. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Prashanth V.
CVE Link: N/A
NiFi Jira: NIFI-5374
NiFi PR: PR 2840
Released: October 26, 2018
NIFI-2018-014: Apache NiFi addition of Content Security Policy (CSP) frame-ancestor HTTP response header
Severity: Informational
Versions Affected:
Description: Following best practice recommendations, the frame-ancestors CSP response header is provided as well as X-Frame-Options for increased compatibility across browsers.
Mitigation: The addition of these headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Nathan Gough and Andy LoPresto.
CVE Link: N/A
NiFi Jira: NIFI-5366
NiFi PR: PR 2989
Released: October 26, 2018
CVE-2018-1324: Apache NiFi Denial of service issue because of commons-compress vulnerability
Severity: Low
Versions Affected:
Description: A vulnerability in the commons-compress library could cause denial of service. See commons-compress CVE-2018-1324 announcement for more information.
Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. This was previously incorrectly reported as being fixed in Apache NiFi 1.6.0
Credit: This issue was discovered by Joe Witt.
CVE Link: Mitre Database: CVE-2018-1324
NiFi Jira: NIFI-5108
NiFi PR: PR 2651
Released: June 25, 2018
CVE-2016-1000031: Apache NiFi dependency vulnerability in commons-fileupload
Severity: Moderate
Versions Affected:
Description: A vulnerability in the commons-fileupload library could cause remote code execution (RCE). See Tenable Research Advisory TRA-2016-30 for more information.
Mitigation: The fix to upgrade the commons-fileupload library to 1.3.3 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Apache Commons project contests validity of this vulnerability and proposes this is the responsibility of the consuming application.
Credit: This issue was discovered by Matt Gilman.
CVE Link: Mitre Database: CVE-2016-1000031
NiFi Jira: NIFI-5124
NiFi PR: PR 2662
Released: June 25, 2018
CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson
Severity: Critical
Versions Affected:
Description: A vulnerability in the FasterXML Jackson XML parsing library could allow unauthenticated remote code execution (RCE). See NVD CVE-2018-7489 for more information.
Mitigation: The fix to upgrade the jackson-databind library to 2.9.5 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Sivaprasanna Sethuraman.
CVE Link: Mitre Database: CVE-2018-7489, Mitre Database: CVE-2017-7525, Mitre Database: CVE-2017-15095
NiFi Jira: NIFI-5286
NiFi PR: PR 2775
Released: June 25, 2018
angular:20171018 and angular:20180202: Apache NiFi dependency XSS vulnerability in AngularJS
Severity: Moderate
Versions Affected:
Description: A vulnerability in the AngularJS library could allow XSS. See Snyk npm:angular:20171018 and Snyk npm:angular:20180202 for more information.
Mitigation: The fix to upgrade the commons-compress library to 1.7.0 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Prashanth V.
CVE Link: N/A
NiFi Jira: NIFI-5215
NiFi PR: PR 2721
Released: June 25, 2018
NIFI-2018-009: Apache NiFi proactive escaping of batch ingest JSON to Elasticsearch to prevent injection attack
Severity: Low
Versions Affected:
Description: While no published attack exists, NiFi strengthened the security around the batch processing Elasticsearch ingest feature to prevent injection attacks.
Mitigation: The improved content escaping was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Jonathan Logan.
CVE Link: N/A
NiFi Jira: NIFI-5266
NiFi PR: PR 2760
Released: June 25, 2018
CVE-2018-1309: Apache NiFi XML External Entity issue in SplitXML processor
Severity: Moderate
Versions Affected:
Description: Malicious XML content could cause information disclosure or remote code execution.
Mitigation: The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by 圆珠笔.
CVE Link: Mitre Database: CVE-2018-1309
Released: April 8, 2018
CVE-2018-1310: Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability
Severity: Moderate
Versions Affected:
Description: Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information.
Mitigation: The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by 圆珠笔.
CVE Link: Mitre Database: CVE-2018-1310
Released: April 8, 2018
CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability
Severity: Critical
Versions Affected:
Description: Spring Security LDAP library was not enforcing credential authentication after TLS handshake negotiation. See NVD CVE-2017-8028 disclosure for more information.
Mitigation: The fix to upgrade the spring-ldap library to 2.3.2.RELEASE+ was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Matthew Elder.
CVE Link: Mitre Database: CVE-2017-8028
Released: April 8, 2018
CVE-2018-1324: Apache NiFi Denial of service issue because of commons-compress vulnerability -- This issue was resolved in Apache NiFi 1.7.0
Severity: Low
Versions Affected:
Description: A vulnerability in the commons-compress library could cause denial of service. See commons-compress CVE-2018-1324 announcement for more information.
Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Joe Witt.
CVE Link: Mitre Database: CVE-2018-1324
Released: April 8, 2018
CVE-2017-12632: Apache NiFi host header poisoning issue
Severity: Moderate
Versions Affected:
Description: A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.
Mitigation: The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mike Cole.
CVE Link: Mitre Database: CVE-2017-12632
Released: January 12, 2018
CVE-2017-15697: Apache NiFi XSS issue in context path handling
Severity: Moderate
Versions Affected:
Description: A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution.
Mitigation: The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Andy LoPresto.
CVE Link: Mitre Database: CVE-2017-15697
Released: January 12, 2018
CVE-2017-12623: Apache NiFi XXE issue in template XML upload
Severity: Moderate Important
Versions Affected:
Description: An authorized user Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack.
Mitigation: The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Paweł Gocyla and further information was provided by Mike Cole.
CVE Link: Mitre Database: CVE-2017-12623
Released: October 2, 2017 (Updated January 23, 2018)
CVE-2017-15703: Apache NiFi Java deserialization issue in template XML upload
Severity: Moderate
Versions Affected:
Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.
Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mike Cole.
CVE Link: Mitre Database: CVE-2017-15703
Released: October 2, 2017 (Updated January 25, 2018)
CVE-2017-7665: Apache NiFi XSS issue on certain user input components
Severity: Important
Versions Affected:
Description: There are certain user input components in the Apache NiFi UI which had been guarding for some forms of XSS issues but were insufficient.
Mitigation: The fix for more complete user input sanitization will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Matt Gilman.
Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)
CVE-2017-7667: Apache NiFi XFS issue due to insufficient response headers
Severity: Important
Versions Affected:
Description: Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.
Mitigation: The fix to set this response header will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Matt Gilman.
Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)
CVE-2017-5635: Apache NiFi Unauthorized Data Access In Cluster Environment
Severity: Important
Versions Affected:
Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the “anonymous” user.
Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here.
Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.
Released: February 20, 2017
CVE-2017-5636: Apache NiFi User Impersonation In Cluster Environment
Severity: Moderate
Versions Affected:
Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here.
Credit: This issue was discovered by Andy LoPresto.
Released: February 20, 2017
CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue
Severity: Moderate
Versions Affected:
Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1. 1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found here.
Credit: This issue was discovered by Matt Gilman of the Apache NiFi PMC during a code review.
Released: December 19, 2016 (1.0.1); December 22, 2016 (1.1.1)
The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project guidance.
| Critical | A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi to execute arbitrary code either as the user the server is running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms. |
| Important | A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi this includes issues that allow an easy remote denial of service or access to files that should be otherwise prevented by limits or authentication. |
| Moderate | A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue. |
| Low | All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences. |
Copyright © 2023 The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache, the
Apache feather logo, NiFi, Apache NiFi and the project logo are trademarks of The Apache Software
Foundation.