PT-2018-13944 · Apache · Apache Nifi

Dan Fike

Published

2018-12-19

Updated

2019-02-07

CVE-2018-17193

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache NiFi versions prior to 1.8.0

Description The issue arises from the unsanitized use of the HTTP request header X-ProxyContextPath in the message-page.jsp error page, leading to a reflected XSS attack.

Recommendations For versions prior to 1.8.0, upgrade to Apache NiFi 1.8.0 or a later version to apply the fix that correctly parses and sanitizes the request attribute value.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-17193

GHSA-4QQ9-RRQ6-48FF

Affected Products

Apache Nifi

PT-2018-13944 · Apache · Apache Nifi

CVE-2018-17193

Weakness Enumeration

Related Identifiers

Affected Products

References · 8