Common Vulnerabilities and Exposures

Lists common vulnerabilities and exposures fixed in CFM 2.0.1.

CVE-2020-9486

Component: Apache NiFi

Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

Severity: Important

Versions Affected: Apache NiFi 1.10.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9486

CVE-2020-9487

Component: Apache NiFi

Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Severity: Important

Versions Affected: Apache NiFi 1.10.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9487

CVE-2020-9491

Component: Apache NiFi

Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Severity: Critical

Versions Affected: Apache NiFi 1.2.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9491

CVE-2020-11023

Component: Apache NiFi

Description: The jquery dependency had an XSS vulnerability. See NIST NVD CVE-2020-11023 for more information.

Severity: Low

Versions Affected: Apache NiFi 1.8.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-11023

CVE-2019-9658

Component: Apache NiFi

Description: The com.puppycrawl.tools:checkstyle dependency had a XXE vulnerability. See NIST NVD CVE-2019-9658 for more information.

Severity: Low

Versions Affected: Apache NiFi 1.8.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-9658

CVE-2019-11358

Component: Apache NiFi

Description: Various vulnerabilities existed within the JQuery dependency used by NiFi. See NIST NVD CVE-2019-11358 for more information.

Severity: Medium

Versions Affected: Apache NiFi 1.6.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-11358

CVE-2019-10247, CVE-2019-10246

Component: Apache NiFi

Description: Various vulnerabilities existed within the Jetty dependency used by NiFi. See NIST NVD CVE-2019-10247, NIST NVD CVE-2019-10246 for more information.

Severity: Medium

Versions Affected: Apache NiFi 1.8.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10247

CVE-2019-16335, CVE-2019-14540, CVE-2019-14439, CVE-2019-12814, CVE-2019-12384, CVE-2018-1000873, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360

Component: Apache NiFi

Description: Various vulnerabilities existed within the Jackson Core: Databind dependency used by NiFi. See NIST NVD CVE-2019-16335, NIST NVD CVE-2019-14540, NIST NVD CVE-2019-14439, NIST NVD CVE-2019-12814, NIST NVD CVE-2019-12384, NIST NVD CVE-2018-1000873, NIST NVD CVE-2018-19362, NIST NVD CVE-2018-19361, NIST NVD CVE-2018-19360 for more information.

Severity: Medium

Versions Affected: Apache NiFi 1.0.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-16335

CVE-2019-0193, CVE-2019-0192, CVE-2017-3164

Component: Apache NiFi

Description: Various vulnerabilities existed within the Solr dependency used by NiFi. See NIST NVD CVE-2019-0193, NIST NVD CVE-2019-0192, NIST NVD CVE-2017-3164 for more information.

Severity: Critical

Versions Affected: Apache NiFi 1.0.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-0193

CVE-2017-5637, CVE-2016-5017, CVE-2018-8012

Component: Apache NiFi

Description: Various vulnerabilities existed within the Zookeeper dependency used by NiFi. See NIST NVD CVE-2018-8012, NIST NVD CVE-2017-5637, NIST NVD CVE-2016-5017 for more information.

Severity: Important

Versions Affected: Apache NiFi 1.0.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2017-5637

CVE-2019-10083

Component: Apache NiFi

Description: When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Severity: Low

Versions Affected: Apache NiFi 1.3.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10083

CVE-2019-12421

Component: Apache NiFi

Description: If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

Severity: Moderate

Versions Affected: Apache NiFi 1.0.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-12421

CVE-2019-10080

Component: Apache NiFi

Description: The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Severity: Low

Versions Affected: Apache NiFi 1.3.0 - 1.9.2

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10080

CVE-2019-10768

Component: Apache NiFi

Description: An Object.prototype pollution vulnerability existed within the AngularJS dependency used by NiFi. See NIST NVD CVE-2019-10768 for more information.

Severity: Important

Versions Affected: Apache NiFi 1.8.0 - 1.10.0

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2019-10768

CVE-2020-1933

Component: Apache NiFi

Description: Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.

Severity: Important

Versions Affected: Apache NiFi 1.0.0 - 1.10.0

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1933

CVE-2020-1928

Component: Apache NiFi

Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.

Severity: Moderate

Versions Affected: Apache NiFi 1.10.0

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1928

CVE-2020-1942

Component: Apache NiFi

Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

Severity: Important

Versions Affected: Apache NiFi 0.0.1 - 1.11.0

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-1942