cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-52067,https://securityvulnerability.io/vulnerability/CVE-2024-52067,Optional Debug Logging in Apache NiFi Could Lead to Sensitive Information Disclosure,"Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.",Apache,Apache Nifi,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-21T09:28:43.910Z,0
CVE-2024-37389,https://securityvulnerability.io/vulnerability/CVE-2024-37389,Apache NiFi vulnerable to cross-site scripting,"Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.",Apache,Apache Nifi,4.6,MEDIUM,0.0026199999265372753,false,,false,false,false,,,false,false,,2024-07-08T07:29:00.146Z,0
CVE-2023-49145,https://securityvulnerability.io/vulnerability/CVE-2023-49145,Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt,"Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary
JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.",Apache,Apache NiFi,5.4,MEDIUM,0.0025400000158697367,false,,false,false,false,,,false,false,,2023-11-27T23:15:00.000Z,0
CVE-2023-41180,https://securityvulnerability.io/vulnerability/CVE-2023-41180,Apache NiFi MiNiFi C++: Incorrect Certificate Validation in InvokeHTTP for MiNiFi C++,"Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped,  disabling verification by default, when using HTTPS.

Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

",Apache,Apache Nifi Minifi C++,5.9,MEDIUM,0.0007900000200606883,false,,false,false,false,,,false,false,,2023-09-03T16:15:00.000Z,0
CVE-2023-40037,https://securityvulnerability.io/vulnerability/CVE-2023-40037,Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs,"Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
",Apache,Apache Nifi,6.5,MEDIUM,0.0013099999632686377,false,,false,false,true,2023-11-23T22:26:21.000Z,true,false,false,,2023-08-18T22:15:00.000Z,0
CVE-2023-36542,https://securityvulnerability.io/vulnerability/CVE-2023-36542,Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources,"Apache NiFi versions 0.0.2 through 1.22.0 contain a vulnerability that permits authenticated users to configure locations for HTTP URL references. This misconfiguration can allow for the execution of custom code, thereby posing a significant threat to the system’s integrity. The remedy involves the introduction of a new Required Permission that restricts access to remote resources, reserving these capabilities for privileged users only. Users are strongly advised to upgrade to Apache NiFi 1.23.0 or later to mitigate the risks associated with this vulnerability.",Apache,Apache Nifi,8.8,HIGH,0.006599999964237213,false,,false,false,false,,,false,false,,2023-07-29T08:15:00.000Z,0
CVE-2023-34212,https://securityvulnerability.io/vulnerability/CVE-2023-34212,Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components,"The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.


",Apache,Apache Nifi,6.5,MEDIUM,0.0008200000156648457,false,,false,false,true,2023-11-23T22:14:49.000Z,true,false,false,,2023-06-12T16:15:00.000Z,0
CVE-2023-34468,https://securityvulnerability.io/vulnerability/CVE-2023-34468,Apache NiFi: Potential Code Injection with Database Services using H2,"The DBCPConnectionPool and HikariCPConnectionPool services in Apache NiFi versions 0.0.2 through 1.21.0 are susceptible to a vulnerability that allows an authenticated and authorized user to configure a Database URL leveraging the H2 driver, leading to potential execution of custom code. The recommended resolution involves validating the Database URL and rejecting H2 JDBC locations to mitigate this risk. Users are advised to upgrade to version 1.22.0 or later to address this issue effectively.",Apache,Apache Nifi,8.8,HIGH,0.7264900207519531,false,,true,false,true,2023-11-25T12:21:48.000Z,true,false,false,,2023-06-12T16:15:00.000Z,0
CVE-2023-22832,https://securityvulnerability.io/vulnerability/CVE-2023-22832,Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes,"The ExtractCCDAAttributes Processor in Apache NiFi versions 1.2.0 to 1.19.1 is susceptible to vulnerabilities due to its inability to restrict XML External Entity references. This flaw allows attackers to exploit flow configurations that utilize the processor by injecting malicious XML documents with Document Type Declarations containing XML External Entity references. To mitigate this risk, Apache has provided a resolution that disables Document Type Declarations and prohibits XML External Entity resolution within the processor, thereby enhancing security.",Apache,Apache NiFi,7.5,HIGH,0.0012600000482052565,false,,false,false,false,,,false,false,,2023-02-10T08:15:00.000Z,0
CVE-2022-33140,https://securityvulnerability.io/vulnerability/CVE-2022-33140,Improper Neutralization of Command Elements in Shell User Group Provider,"The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.",Apache,"Apache Nifi,Apache Nifi Registry",8.8,HIGH,0.11840000003576279,false,,false,false,false,,,false,false,,2022-06-15T14:25:15.000Z,0
CVE-2022-29265,https://securityvulnerability.io/vulnerability/CVE-2022-29265,Improper Restriction of XML External Entity References in Multiple Components,"Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.",Apache,Apache Nifi,7.5,HIGH,0.0010300000431016088,false,,false,false,false,,,false,false,,2022-04-30T08:05:10.000Z,0
CVE-2022-26850,https://securityvulnerability.io/vulnerability/CVE-2022-26850,Insufficiently protected credentials,"When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.",Apache,Apache Nifi,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2022-04-06T17:40:09.000Z,0
CVE-2021-44145,https://securityvulnerability.io/vulnerability/CVE-2021-44145,Apache NiFi information disclosure by XXE,"In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.",Apache,Apache Nifi,6.5,MEDIUM,0.0005300000193528831,false,,false,false,false,,,false,false,,2021-12-17T08:50:09.000Z,0
CVE-2021-33191,https://securityvulnerability.io/vulnerability/CVE-2021-33191,MiNiFi CPP arbitrary script execution is possible on the agent's host machine through the c2 protocol,"From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an ""agent-update"" command which was designed to patch the application binary. This ""patching"" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a ""c2-update"" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0",Apache,Apache Nifi - Minifi C++,9.8,CRITICAL,0.010060000233352184,false,,false,false,false,,,false,false,,2021-08-24T11:20:09.000Z,0
CVE-2020-9491,https://securityvulnerability.io/vulnerability/CVE-2020-9491,,"In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.",Apache,Apache Nifi,7.5,HIGH,0.0024800000246614218,false,,false,false,false,,,false,false,,2020-10-01T19:57:34.000Z,0
CVE-2020-13940,https://securityvulnerability.io/vulnerability/CVE-2020-13940,,"In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).",Apache,Apache Nifi,5.5,MEDIUM,0.0004400000034365803,false,,false,false,false,,,false,false,,2020-10-01T19:55:16.000Z,0
CVE-2020-9487,https://securityvulnerability.io/vulnerability/CVE-2020-9487,,"In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.",Apache,Apache Nifi,7.5,HIGH,0.0012600000482052565,false,,false,false,false,,,false,false,,2020-10-01T19:53:11.000Z,0
CVE-2020-9486,https://securityvulnerability.io/vulnerability/CVE-2020-9486,,"In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.",Apache,Apache Nifi,7.5,HIGH,0.0012000000569969416,false,,false,false,false,,,false,false,,2020-10-01T19:50:53.000Z,0
CVE-2020-9482,https://securityvulnerability.io/vulnerability/CVE-2020-9482,,"If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.",Apache,Apache Nifi Registry,6.5,MEDIUM,0.00107999995816499,false,,false,false,false,,,false,false,,2020-04-28T18:12:58.000Z,0
CVE-2020-1942,https://securityvulnerability.io/vulnerability/CVE-2020-1942,,"In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.",Apache,Apache Nifi,7.5,HIGH,0.0013800000306218863,false,,false,false,false,,,false,false,,2020-02-11T20:57:26.000Z,0
CVE-2020-1933,https://securityvulnerability.io/vulnerability/CVE-2020-1933,,A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.,Apache,Apache Nifi,6.1,MEDIUM,0.001610000035725534,false,,false,false,false,,,false,false,,2020-01-28T00:33:32.000Z,0
CVE-2020-1928,https://securityvulnerability.io/vulnerability/CVE-2020-1928,,An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.,Apache,Apache Nifi,5.3,MEDIUM,0.001829999964684248,false,,false,false,false,,,false,false,,2020-01-28T00:28:08.000Z,0
CVE-2019-10083,https://securityvulnerability.io/vulnerability/CVE-2019-10083,,"When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.",Apache,Apache Nifi,5.3,MEDIUM,0.0005799999926239252,false,,false,false,false,,,false,false,,2019-11-19T21:34:11.000Z,0
CVE-2019-12421,https://securityvulnerability.io/vulnerability/CVE-2019-12421,,"When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.",Apache,Apache Nifi,8.8,HIGH,0.0007800000021234155,false,,false,false,false,,,false,false,,2019-11-19T21:33:12.000Z,0
CVE-2019-10080,https://securityvulnerability.io/vulnerability/CVE-2019-10080,,"The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.",Apache,Apache Nifi,6.5,MEDIUM,0.0011399999493733048,false,,false,false,false,,,false,false,,2019-11-19T21:32:11.000Z,0