Common Vulnerabilities and Exposures
Lists common vulnerabilities and exposures fixed in CFM 2.0.1.
CVE-2020-9486
Component: Apache NiFi
Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
Severity: Important
Versions Affected: Apache NiFi 1.10.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9486
CVE-2020-9487
Component: Apache NiFi
Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Severity: Important
Versions Affected: Apache NiFi 1.10.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9487
CVE-2020-9491
Component: Apache NiFi
Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as
listening connections established by processors like ListenHTTP
,
HandleHttpRequest
, etc. However intracluster communication such as
cluster request replication, Site-to-Site, and load balanced queues continued to support TLS
v1.0 or v1.1.
Severity: Critical
Versions Affected: Apache NiFi 1.2.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9491
CVE-2020-11023
Component: Apache NiFi
Description: The jquery dependency had an XSS vulnerability. See NIST NVD CVE-2020-11023 for more information.
Severity: Low
Versions Affected: Apache NiFi 1.8.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-11023
CVE-2019-9658
Component: Apache NiFi
Description: The com.puppycrawl.tools:checkstyle
dependency had a
XXE vulnerability. See NIST NVD CVE-2019-9658 for more information.
Severity: Low
Versions Affected: Apache NiFi 1.8.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-9658
CVE-2019-11358
Component: Apache NiFi
Description: Various vulnerabilities existed within the JQuery dependency used by NiFi. See NIST NVD CVE-2019-11358 for more information.
Severity: Medium
Versions Affected: Apache NiFi 1.6.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-11358
CVE-2019-10247, CVE-2019-10246
Component: Apache NiFi
Description: Various vulnerabilities existed within the Jetty dependency used by NiFi. See NIST NVD CVE-2019-10247, NIST NVD CVE-2019-10246 for more information.
Severity: Medium
Versions Affected: Apache NiFi 1.8.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10247
CVE-2019-16335, CVE-2019-14540, CVE-2019-14439, CVE-2019-12814, CVE-2019-12384, CVE-2018-1000873, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360
Component: Apache NiFi
Description: Various vulnerabilities existed within the Jackson Core: Databind dependency used by NiFi. See NIST NVD CVE-2019-16335, NIST NVD CVE-2019-14540, NIST NVD CVE-2019-14439, NIST NVD CVE-2019-12814, NIST NVD CVE-2019-12384, NIST NVD CVE-2018-1000873, NIST NVD CVE-2018-19362, NIST NVD CVE-2018-19361, NIST NVD CVE-2018-19360 for more information.
Severity: Medium
Versions Affected: Apache NiFi 1.0.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-16335
CVE-2019-0193, CVE-2019-0192, CVE-2017-3164
Component: Apache NiFi
Description: Various vulnerabilities existed within the Solr dependency used by NiFi. See NIST NVD CVE-2019-0193, NIST NVD CVE-2019-0192, NIST NVD CVE-2017-3164 for more information.
Severity: Critical
Versions Affected: Apache NiFi 1.0.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-0193
CVE-2017-5637, CVE-2016-5017, CVE-2018-8012
Component: Apache NiFi
Description: Various vulnerabilities existed within the Zookeeper dependency used by NiFi. See NIST NVD CVE-2018-8012, NIST NVD CVE-2017-5637, NIST NVD CVE-2016-5017 for more information.
Severity: Important
Versions Affected: Apache NiFi 1.0.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2017-5637
CVE-2019-10083
Component: Apache NiFi
Description: When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
Severity: Low
Versions Affected: Apache NiFi 1.3.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10083
CVE-2019-12421
Component: Apache NiFi
Description: If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
Severity: Moderate
Versions Affected: Apache NiFi 1.0.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-12421
CVE-2019-10080
Component: Apache NiFi
Description: The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
Severity: Low
Versions Affected: Apache NiFi 1.3.0 - 1.9.2
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10080
CVE-2019-10768
Component: Apache NiFi
Description: An Object.prototype pollution vulnerability existed within the AngularJS dependency used by NiFi. See NIST NVD CVE-2019-10768 for more information.
Severity: Important
Versions Affected: Apache NiFi 1.8.0 - 1.10.0
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10768
CVE-2020-1933
Component: Apache NiFi
Description: Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
Severity: Important
Versions Affected: Apache NiFi 1.0.0 - 1.10.0
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1933
CVE-2020-1928
Component: Apache NiFi
Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
Severity: Moderate
Versions Affected: Apache NiFi 1.10.0
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1928
CVE-2020-1942
Component: Apache NiFi
Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.
Severity: Important
Versions Affected: Apache NiFi 0.0.1 - 1.11.0
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1942