Matt Gilman

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.10.0 through 2.0.0 **Description** The issue is related to missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers when creating new Process Groups. This allows clients to download non-sensitive Parameter values after creating the Process Group and enables clients to create Process Groups and use these components that were otherwise unauthorized. The scope is limited to authenticated users authorized to create Process Groups and deployments with component-based authorization policies. **Recommendations** Upgrading to Apache NiFi 2.1.0 is the recommended mitigation, which includes authorization checking for Parameter and Controller Service references on Process Group creation.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 0.7.2 Apache NiFi versions 1.x prior to 1.1.2 **Description** The issue arises in a cluster environment when an anonymous user request is replicated to another node. Instead of using the "anonymous" user identity, the system uses the identity of the originating node. **Recommendations** For Apache NiFi versions prior to 0.7.2, update to version 0.7.2 or later. For Apache NiFi versions 1.x prior to 1.1.2, update to version 1.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 1.0.1 Apache NiFi versions 1.1.x prior to 1.1.1 **Description** The issue is related to a cross-site scripting vulnerability in the connection details dialog. This occurs when an authorized user accesses the dialog and user-supplied text is not properly handled when added to the DOM. **Recommendations** For Apache NiFi versions prior to 1.0.1, update to version 1.0.1 or later. For Apache NiFi versions 1.1.x prior to 1.1.1, update to version 1.1.1 or later.