PT-2018-5978 · Apache · Apache Nifi

Mike Cole

Published

2018-01-25

Updated

2019-10-25

CVE-2017-15703

CVSS v3.1

5.0

Medium

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions prior to 1.4.0 Apache NiFi versions prior to 1.5.0-RC1

Description: The issue allows any authenticated user to upload a template containing malicious code, potentially causing a denial of service via Java deserialization attack. Additionally, an attacker can perform XXE attacks through JAXB.

Recommendations: For Apache NiFi versions prior to 1.4.0, upgrade to Apache NiFi 1.4.0 or later to properly handle Java deserialization and mitigate the risk of denial of service attacks. For Apache NiFi versions prior to 1.5.0-RC1, upgrade to Apache NiFi 1.5.0-RC1 or later to prevent XXE attacks through JAXB.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2017-15703

GHSA-XWX6-VMJ4-5RV8

Affected Products

Apache Nifi

PT-2018-5978 · Apache · Apache Nifi

CVE-2017-15703

Weakness Enumeration

Related Identifiers

Affected Products

References · 5