Common Vulnerabilities and Exposures

Lists common vulnerabilities and exposures fixed in CFM 2.1.1.

CVE-2020-27218: Apache NiFi's use of Jetty server

Severity: Low

Versions Affected: Apache NiFi 1.2.0 - 1.12.1

Description: The Jetty server dependency had a HTTP Request Smuggling vulnerability. See NIST NVD CVE-2020-27218 for more information.

Mitigation: Jetty server was upgraded from 9.4.26.v20200117 to 9.4.35.v20201120 for the Apache NiFi 1.13.0 release.

CVE Link: Mitre Database: CVE-2020-27218

NiFi Jira: NIFI-8098

NiFi PR: PR 4731

CVE-2021-20190; CVE-2019-12086: Apache NiFi's jackson-databind usage

Severity: Low

Versions Affected: Apache 1.7.0 - 1.12.1

Description: The com.fasterxml.jackson.core:jackson-databind dependency had various serialization vulnerabilities. See NIST NVD CVE-2021-20190 for more information.

Mitigation: jackson-databind was upgraded from 2.9.10.5 to 2.9.10.8 for the Apache NiFi 1.13.0 release.

CVE Link: Mitre Database: CVE-2021-20190

NiFi Jira: NIFI-8166

NiFi PR: PR 4777

CVE-2020-7676: Apache NiFi's angular.js usage

Severity: Low

Versions Affected: Apache NiFi 1.8.0 - 1.11.4

Description: The angular.js dependency had an XSS vulnerability. See NIST NVD CVE-2020-7676-9658 for more information.

Mitigation: angular.js was upgraded from 1.7.9 to 1.8.0 for the Apache NiFi 1.12.0 release.

CVE Link: Mitre Database: CVE-2020-7676

NiFi Jira: NIFI-7577

NiFi PR: PR 4357