David Handermann

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.1.0 through 2.7.2 **Description** Apache NiFi installations are affected by a missing authorization check when updating configuration properties on extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges needed to add a component to the flow configuration, but the framework did not verify the restricted status during updates to previously added components. This allows a user with lower privileges to modify the configuration of restricted components, potentially compromising dataflow logic or triggering unsafe actions. Installations that do not implement different authorization levels for Restricted components are not affected, as the framework relies on write permissions as a security boundary. **Recommendations** Upgrade to Apache NiFi version 2.8.0 to address this issue.

**Name of the Vulnerable Software and Affected Versions** Apache Parquet versions prior to 1.15.2 **Description** The vulnerability in Apache Parquet Java allows remote code execution via insecure parquet-avro module schema parsing. The issue affects versions up to 1.15.1. The parquet-avro module is responsible for processing Avro schemas within the metadata of Parquet files. Despite an earlier update in version 1.15.1 intended to restrict untrusted packages, the default settings remain permissive enough that harmful classes can still be executed. This is particularly worrisome for data processing pipelines that may draw files from untrusted sources, putting any application utilizing this module at risk of remote code execution. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. **Recommendations** Apache Parquet version 1.15.1: Set the system property "org.apache.parquet.avro.SERIALIZABLE PACKAGES" to an empty string. Apache Parquet versions prior to 1.15.1: Upgrade to version 1.15.2. Apache Parquet versions prior to 1.15.2 (general recommendation): Upgrade to version 1.15.2 to ensure safety.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.16.0 through 1.28.0 Apache NiFi versions 2.0.0-M1 through 2.0.0-M4 **Description** The issue concerns the optional debug logging of `Parameter Context` values during the flow synchronization process in Apache NiFi. An authorized administrator with access to change logging levels could enable debug logging, causing the application to write `Parameter` names and values to the application log. `Parameter Context` values may contain sensitive information depending on the application flow configuration. Deployments with the default Logback configuration do not log `Parameter Context` values. **Recommendations** For Apache NiFi versions 1.16.0 through 1.28.0, upgrade to Apache NiFi 1.28.1 to eliminate `Parameter` value logging from the flow synchronization process. For Apache NiFi versions 2.0.0-M1 through 2.0.0-M4, upgrade to Apache NiFi 2.0.0 to eliminate `Parameter` value logging from the flow synchronization process.

**Name of the Vulnerable Software and Affected Versions** Apache Calcite versions prior to 1.32.0 **Description** The issue is related to the SQL operators EXISTS NODE, EXTRACT XML, XML TRANSFORM, and EXTRACT VALUE not restricting XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Any client exposing these operators, typically by using Oracle dialect or MySQL dialect, is affected by this issue. The extent of the vulnerability depends on the user under which the application is running. **Recommendations** For Apache Calcite versions prior to 1.32.0, consider upgrading to version 1.32.0 or later, where Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. As a temporary workaround, consider restricting the use of the SQL operators EXISTS NODE, EXTRACT XML, XML TRANSFORM, and EXTRACT VALUE to minimize the risk of exploitation. Additionally, restrict access to the Oracle and MySQL dialects to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.10.0 through 1.16.2 Apache NiFi Registry versions 0.6.0 through 1.16.2 **Description** The optional ShellUserGroupProvider does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. This issue requires the ShellUserGroupProvider to be enabled in the Authorizers configuration and an authenticated user with elevated privileges. Apache NiFi requires authorization to modify access policies, while Apache NiFi Registry requires authorization to read user groups to execute the command. The resolution involves removing command formatting based on user-provided arguments. **Recommendations** For Apache NiFi versions 1.10.0 through 1.16.2, consider disabling the ShellUserGroupProvider until a patch is available. For Apache NiFi Registry versions 0.6.0 through 1.16.2, restrict access to the ShellUserGroupProvider to minimize the risk of exploitation. As a temporary workaround, remove command formatting based on user-provided arguments for both Apache NiFi and Apache NiFi Registry.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 0.0.1 through 1.16.0 **Description** The issue concerns multiple components in Apache NiFi that do not restrict XML External Entity references in the default configuration. Specifically, the Standard Content Viewer service and certain Processors (EvaluateXPath, EvaluateXQuery, ValidateXml) attempt to resolve XML External Entity references when configured with default property values. This makes Apache NiFi flow configurations that include these Processors vulnerable to malicious XML documents containing Document Type Declarations with XML External Entity references. **Recommendations** For Apache NiFi versions 0.0.1 through 1.16.0, update to version 1.16.1 or later, which disables Document Type Declarations in the default configuration for the affected Processors and disallows XML External Entity resolution in standard services. As a temporary workaround, consider disabling the `EvaluateXPath`, `EvaluateXQuery`, and `ValidateXml` Processors until a patch is available. Restrict access to the Standard Content Viewer service to minimize the risk of exploitation. Avoid using XML documents that contain Document Type Declarations with XML External Entity references in Apache NiFi flow configurations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 1.16.0 **Description** The issue arises when creating or updating credentials for single-user access in Apache NiFi. NiFi writes a copy of the Login Identity Providers configuration to the operating system temporary directory, which has global read permissions on most platforms. Although NiFi immediately moves the temporary file to the final configuration directory, limiting the window of opportunity for access, the vulnerability still exists. The `org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter` class contains a local information disclosure vulnerability due to writing credentials to a file readable by all other users on Unix-like systems. **Recommendations** For versions prior to 1.16.0, update to Apache NiFi 1.16.0 or later to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. As a temporary workaround, consider setting the `java.io.tmpdir` system environment variable to a directory exclusively owned by the executing user to fix this vulnerability for all operating systems.