PT-2018-5978 · Apache · Apache Nifi

Mike Cole

Publicado

2018-01-25

Atualizado

2019-10-25

CVE-2017-15703

CVSS v3.1

5.0

Média

Vetor

AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions prior to 1.4.0 Apache NiFi versions prior to 1.5.0-RC1

Description: The issue allows any authenticated user to upload a template containing malicious code, potentially causing a denial of service via Java deserialization attack. Additionally, an attacker can perform XXE attacks through JAXB.

Recommendations: For Apache NiFi versions prior to 1.4.0, upgrade to Apache NiFi 1.4.0 or later to properly handle Java deserialization and mitigate the risk of denial of service attacks. For Apache NiFi versions prior to 1.5.0-RC1, upgrade to Apache NiFi 1.5.0-RC1 or later to prevent XXE attacks through JAXB.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2017-15703

GHSA-XWX6-VMJ4-5RV8

Produtos afetados

Apache Nifi

PT-2018-5978 · Apache · Apache Nifi

CVE-2017-15703

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5