Fixed CVEs in Flow Management

Review the list of common vulnerabilities and exposures fixed in Cloudera Flow Management (CFM) in Data Hub 7.2.18.

All known NiFi CVEs are addressed in both clusters based on NiFi 1.25 and clusters based on NiFi 2.0-M1. See Apache NiFi Security for more information about NiFi’s CVEs.

In Flow Management clusters using NiFi 1.25, vulnerability scanners may detect certain CVEs in some legacy components. For these components, it is not possible to update the client library NiFi depends on. You can find the list of affected components below. Although NiFi does not expose ways to exploit those vulnerabilities, you may want to remove the associated NARs. Note that these NARs are deprecated and no longer available in NiFi clusters using NiFi 2.0.

  • nifi-kite-nar (CVE-2022-42889, CVE-2023-39410)

  • nifi-kafka-1-0-nar, nifi-kafka-2-0-nar (CVE-2018-17196)

  • nifi-couchbase-nar (CVE-2020-9040)