Common Vulnerabilities and Exposures
The following CVEs have been fixed in HDF 3.3.0:
CVE-2014-0193
Component: Apache NiFi
Description: A vulnerability in the netty library could cause denial of service. See NIST NVD CVE-2014-0193 or netty release announcement for more information.
Severity: Low
Versions Affected: Apache NiFi 1.0.0 - 1.7.1
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2014-0193
CVE-2018-17192
Component: Apache NiFi
Description: The X-Frame-Options headers were applied
inconsistently on some HTTP responses, resulting in duplicate or missing security
headers. Some browsers would interpret these results incorrectly, allowing clickjacking
attacks.
Severity: Low
Versions Affected: Apache NiFi 1.0.0 - 1.6.0
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17192
CVE-2018-17193
Component: Apache NiFi
Description: The message-page.jsp error page used the value of
the HTTP request header X-ProxyContextPath without sanitization,
resulting in a reflected XSS attack.
Severity: Moderate
Versions Affected: Apache NiFi 1.0.0 - 1.7.1
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17193
CVE-2018-17194
Component: Apache NiFi
Description: When a client request to a cluster node was replicated to other
nodes in the cluster for verification, the Content-Lengthwas forwarded.
On a DELETE request, the body was ignored, but if the initial request
had a Content-Length value other than 0, the receiving nodes would wait
for the body and eventually timeout.
Severity: Moderate
Versions Affected: Apache NiFi 1.0.0 - 1.7.1
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17194
CVE-2018-17195
Component: Apache NiFi
Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.
Severity: Severe
Versions Affected: Apache NiFi 1.0.0 - 1.7.1
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17195