unstick r1873874

Revision 1873874

Date:
2020/02/10 20:38:10
Author:
alopresto
Revision Log:
Reconciled severity levels and fixed row formatting.
Files:

Legend:

 
Added
 
Removed
 
Modified
  • nifi/site/trunk/security.html

     
    192 192 </div>
    193 193 <div class="row" style="background-color: aliceblue">
    194 194 <div class="large-12 columns">
    195 <p><a id="CVE-2020-1928" href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi information disclosure by debug logging</p>
    195 <p><a id="CVE-2020-1928" href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi information disclosure in logs</p>
    196 196 <p>Severity: <strong>Moderate</strong></p>
    197 197 <p>Versions Affected:</p>
    198 198 <ul>
    199 199 <li>Apache NiFi 1.10.0</li>
    200 200 </ul>
    201 201 </p>
    202 <p>Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. </p>
    202 <p>Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. </p>
    203 203 <p>Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. </p>
    204 204 <p>Credit: This issue was discovered by Andy LoPresto. </p>
    205 205 <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928" target="_blank">Mitre Database: CVE-2020-1928</a></p>
     
    211 211 <div class="row">
    212 212 <div class="large-12 columns">
    213 213 <p><a id="CVE-2020-1933" href="#CVE-2020-1933"><strong>CVE-2020-1933</strong></a>: Apache NiFi XSS attack</p>
    214 <p>Severity: <strong>High</strong></p>
    214 <p>Severity: <strong>Important</strong></p>
    215 215 <p>Versions Affected:</p>
    216 216 <ul>
    217 217 <li>Apache NiFi 1.0.0 - 1.10.0</li>
     
    232 232 <h2><a id="1.11.0-dependency-vulnerabilities" href="#1.11.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
    233 233 </div>
    234 234 </div>
    235 <div class="row">
    235 <div class="row" style="background-color: aliceblue">
    236 236 <div class="large-12 columns">
    237 237 <p><a id="CVE-2019-10768" href="#CVE-2019-10768"><strong>CVE-2019-10768</strong></a>: Apache NiFi's AngularJS usage</p>
    238 <p>Severity: <strong>High</strong></p>
    238 <p>Severity: <strong>Important</strong></p>
    239 239 <p>Versions Affected:</p>
    240 240 <ul>
    241 241 <li>Apache NiFi 1.8.0 - 1.10.0</li>
     
    325 325 <div class="row">
    326 326 <div class="large-12 columns">
    327 327 <p><a id="CVE-2017-5637" href="#CVE-2017-5637"><strong>CVE-2017-5637, CVE-2016-5017, CVE-2018-8012</strong></a>: Apache NiFi's Zookeeper usage</p>
    328 <p>Severity: <strong>High</strong></p>
    328 <p>Severity: <strong>Important</strong></p>
    329 329 <p>Versions Affected:</p>
    330 330 <ul>
    331 331 <li>Apache NiFi 1.0.0 - 1.9.2</li>
     
    473 473 <div class="row">
    474 474 <div class="large-12 columns">
    475 475 <p><a id="CVE-2018-17195" href="#CVE-2018-17195"><strong>CVE-2018-17195</strong></a>: Apache NiFi CSRF vulnerability in template upload API</p>
    476 <p>Severity: <strong>Severe</strong></p>
    476 <p>Severity: <strong>Critical</strong></p>
    477 477 <p>Versions Affected:</p>
    478 478 <ul>
    479 479 <li>Apache NiFi 1.0.0 - 1.7.1</li>
    480 480 </ul>
    481 481 </p>
    482 <p>Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a <strong>Severe</strong> severity level. </p>
    482 <p>Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a <strong>Critical</strong> severity level. </p>
    483 483 <p>Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
    484 484 <p>Credit: This issue was discovered by Mike Cole. </p>
    485 485 <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195" target="_blank">Mitre Database: CVE-2018-17195</a></p>
     
    599 599 <div class="row" style="background-color: aliceblue">
    600 600 <div class="large-12 columns">
    601 601 <p><a id="CVE-2018-7489" href="#CVE-2018-7489"><strong>CVE-2018-7489</strong></a>, <a id="CVE-2017-7525" href="#CVE-2017-7525"><strong>CVE-2017-7525</strong></a>, and <a id="CVE-2017-15095" href="#CVE-2017-15095"><strong>CVE-2017-15095</strong></a>: Apache NiFi dependency vulnerability in FasterXML Jackson</p>
    602 <p>Severity: <strong>Severe</strong></p>
    602 <p>Severity: <strong>Critical</strong></p>
    603 603 <p>Versions Affected:</p>
    604 604 <ul>
    605 605 <li>Apache NiFi 0.1.0 - 1.6.0</li>
     
    691 691 <div class="row">
    692 692 <div class="large-12 columns">
    693 693 <p><a id="CVE-2017-8028" href="#CVE-2017-8028"><strong>CVE-2017-8028</strong></a>: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability</p>
    694 <p>Severity: <strong>Severe</strong></p>
    694 <p>Severity: <strong>Critical</strong></p>
    695 695 <p>Versions Affected:</p>
    696 696 <ul>
    697 697 <li>Apache NiFi 0.1.0 - 1.5.0</li>