Version 2.0.0
nifi
Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data.
Install Instructions
mvn install nifi
Language Java
Package URL (purl) pkg:maven/org.apache.nifi:nifi@2.0.0
Find nifi vulnerabilities in your supply chain.
nifi Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2017-12623 | Medium 6.5 | CWE-611 | 0.00047 | 0.19288 |
|
| CVE-2017-12632 | High 7.5 | CWE-20, CWE-269 | 0.00233 | 0.60961 |
|
| CVE-2017-15697 | High 9.8 | CWE-20 | 0.00956 | 0.83014 |
|
| CVE-2018-1309 | High 9.8 | CWE-611 | 0.00455 | 0.74912 |
|
| CVE-2018-1310 | High 7.5 | CWE-502 | 0.00134 | 0.49195 |
|
| CVE-2018-17192 | Medium 6.5 | CWE-1021 | 0.00264 | 0.65205 |
|
| CVE-2018-17193 | Medium 6.1 | CWE-79 | 0.00188 | 0.56328 |
|
| CVE-2018-17194 | High 7.5 | CWE-20 | 0.00102 | 0.42771 |
|
| CVE-2018-17195 | High 7.5 | CWE-863, CWE-319 | 0.00045 | 0.17591 |
|
| CVE-2019-10080 | Medium 6.5 | CWE-611 | 0.00114 | 0.45534 |
|
| CVE-2019-10083 | Medium 5.3 | CWE-200 | 0.00058 | 0.2616 |
|
| CVE-2019-12421 | High 8.8 | CWE-613 | 0.00078 | 0.35643 |
|
| CVE-2020-13940 | Medium 5.5 | CWE-611 | 0.00044 | 0.14426 |
|
| CVE-2020-1933 | Medium 6.1 | CWE-79 | 0.00161 | 0.5308 |
|
| CVE-2020-1942 | High 7.5 | CWE-532 | 0.00138 | 0.49773 |
|
| CVE-2020-9487 | High 7.5 | CWE-306 | 0.00126 | 0.47644 |
|
| CVE-2020-9491 | High 7.5 | CWE-327 | 0.00248 | 0.63901 |
|
| CVE-2021-44145 | Medium 6.5 | CWE-200 | 0.00053 | 0.23435 |
|
| CVE-2022-29265 | High 7.5 | CWE-611 | 0.0009 | 0.39866 |
|
| CVE-2023-22832 | High 7.5 | CWE-611 | 0.00127 | 0.47849 |
|
| CVE-2017-5635 | High 7.5 | CWE-287 | 0.001 | 0.42358 |
|
| CVE-2017-5636 | High 9.8 | CWE-74 | 0.00339 | 0.71076 |
|
| CVE-2017-7665 | Medium 6.1 | CWE-79 | 0.0007 | 0.3276 |
|
| CVE-2017-7667 | High 7.5 | CWE-346 | 0.00121 | 0.46847 |
|
| CVE-2016-8748 | Medium 5.4 | CWE-79 | 0.00061 | 0.27792 |
|
| CVE-2020-9486 | High 7.5 | CWE-532 | 0.00122 | 0.47015 |
|
| CVE-2022-33140 | High 8.8 | CWE-78 | 0.06661 | 0.9373 |
|
| CVE-2020-1928 | Medium 5.3 | CWE-532 | 0.00222 | 0.60081 |
|
nifi Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2023-22832 | The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | 1.3.0, 1.2.0, 1.4.0, 1.5.0, 1.9.2, 1.9.1, 1.7.0, 1.8.0 (Show all) | Minor → 1.20.0 |
| CVE-2022-33140 | The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments. | 1.11.4, 1.10.0, 1.11.1, 1.11.3, 1.11.0, 1.11.2, 1.13.0, 1.16.0 (Show all) | Minor → 1.20.0 |
| CVE-2022-29265 | Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. | 1.3.0, 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0 (Show all) | Minor → 1.20.0 |
| CVE-2021-44145 | In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. | 1.3.0, 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0 (Show all) | Minor → 1.20.0 |
| CVE-2020-9491 | In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. | 1.3.0, 1.2.0, 1.4.0, 1.5.0, 1.9.2, 1.9.1, 1.7.0, 1.8.0 (Show all) | Minor → 1.20.0 |
| CVE-2020-9487 | In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2020-9486 | In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. | 1.11.4, 1.10.0, 1.11.1, 1.11.3, 1.11.0, 1.11.2 | Minor → 1.20.0 |
| CVE-2020-1942 | In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. | 1.3.0, 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0 (Show all) | Minor → 1.20.0 |
| CVE-2020-1933 | A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2020-1928 | An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. | 1.10.0 | Minor → 1.20.0 |
| CVE-2020-13940 | In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2019-12421 | When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. | 1.3.0, 1.4.0, 1.5.0, 1.9.2, 1.9.1, 1.7.0, 1.8.0, 1.7.1 (Show all) | Minor → 1.20.0 |
| CVE-2019-10083 | When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. | 1.3.0, 1.4.0, 1.5.0, 1.9.2, 1.9.1, 1.7.0, 1.8.0, 1.7.1 (Show all) | Minor → 1.20.0 |
| CVE-2019-10080 | The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. | 1.3.0, 1.4.0, 1.5.0, 1.9.2, 1.9.1, 1.7.0, 1.8.0, 1.7.1 (Show all) | Minor → 1.20.0 |
| CVE-2018-17195 | The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2018-17194 | When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2018-17193 | The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2018-17192 | The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2018-1310 | Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0 (Show all) | Minor → 1.20.0 |
| CVE-2018-1309 | Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0 (Show all) | Minor → 1.20.0 |
| CVE-2017-7667 | Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. | 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0, 0.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2017-7665 | In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. | 1.1.1, 0.7.0, 0.3.0, 1.1.2, 1.0.0, 0.5.1, 1.2.0, 0.4.0 (Show all) | Minor → 1.20.0 |
| CVE-2017-5636 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. | 1.1.1, 0.7.0, 0.3.0, 1.0.0, 0.5.1, 0.4.0, 0.7.1, 0.6.0 (Show all) | Minor → 1.20.0 |
| CVE-2017-5635 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. | 1.1.1, 0.7.0, 0.3.0, 1.0.0, 0.5.1, 0.4.0, 0.7.1, 0.6.0 (Show all) | Minor → 1.20.0 |
| CVE-2017-15697 | A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 | Minor → 1.20.0 |
| CVE-2017-12632 | A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1, 1.4.0 | Minor → 1.20.0 |
| CVE-2017-12623 | An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | 1.3.0, 1.1.1, 1.1.2, 1.0.0, 1.2.0, 1.1.0, 1.0.1 | Minor → 1.20.0 |
| CVE-2016-8748 | In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. | 0.7.0, 0.3.0, 1.0.0, 0.5.1, 0.4.0, 1.0.0-BETA, 0.7.4, 0.7.1 (Show all) | Major → 1.20.0 |
Instantly see if these nifi vulnerabilities affect your code.
Dependencies
Packages using versions of nifi affected by its vulnerabilities
| Dependent Packages |
|---|
| org.apache.nifi:nifi-api:${nifi-api.version} |
| org.eclipse.jetty:jetty-bom:${jetty.version} |
| org.eclipse.jetty.ee10:jetty-ee10-bom:${jetty.version} |
| org.bouncycastle:bcprov-jdk18on:${org.bouncycastle.version} |
| org.bouncycastle:bcpkix-jdk18on:${org.bouncycastle.version} |
| org.bouncycastle:bcpg-jdk18on:${org.bouncycastle.version} |
| org.bouncycastle:bcutil-jdk18on:${org.bouncycastle.version} |
| org.bouncycastle:bcmail-jdk18on:${org.bouncycastle.version} |
| org.apache.avro:avro:${avro.version} |
| org.apache.avro:avro-ipc:${avro.version} |
| org.apache.avro:avro-mapred:${avro.version} |
| commons-cli:commons-cli:${org.apache.commons.cli.version} |
| commons-codec:commons-codec:${org.apache.commons.codec.version} |
| org.apache.commons:commons-compress:${org.apache.commons.compress.version} |
| com.github.luben:zstd-jni:${com.github.luben.zstd-jni.version} |
| org.apache.commons:commons-configuration2:${org.apache.commons.configuration.version} |
| commons-io:commons-io:${org.apache.commons.io.version} |
| org.apache.commons:commons-lang3:${org.apache.commons.lang3.version} |
| commons-net:commons-net:${org.apache.commons.net.version} |
| org.apache.commons:commons-text:${org.apache.commons.text.version} |
| org.apache.httpcomponents:httpclient:${org.apache.httpcomponents.httpclient.version} |
| org.apache.httpcomponents:httpcore:${org.apache.httpcomponents.httpcore.version} |
| org.apache.httpcomponents:fluent-hc:${org.apache.httpcomponents.httpclient.version} |
| org.junit:junit-bom:5.11.3 |
| org.slf4j:slf4j-bom:${org.slf4j.version} |
| ch.qos.logback:logback-classic:${logback.version} |
| ch.qos.logback:logback-core:${logback.version} |
| org.mockito:mockito-bom:${mockito.version} |
| org.apache.groovy:groovy-all:${groovy.version} |
| org.testcontainers:testcontainers-bom:${testcontainers.version} |
| jakarta.ws.rs:jakarta.ws.rs-api:${jakarta.ws.rs-api.version} |
| org.aspectj:aspectjweaver:${aspectj.version} |
| com.google.code.gson:gson:${gson.version} |
| io.swagger.core.v3:swagger-annotations:${swagger.annotations.version} |
| io.fabric8:kubernetes-client-bom:${io.fabric8.kubernetes.client.version} |
| io.prometheus:simpleclient_bom:${prometheus.version} |
| org.yaml:snakeyaml:${snakeyaml.version} |
| com.jayway.jsonpath:json-path:${com.jayway.jsonpath.version} |
| com.amazonaws:aws-java-sdk-bom:${com.amazonaws.version} |
| com.amazonaws:aws-java-sdk-core:${com.amazonaws.version} |
| com.amazonaws:aws-java-sdk-bundle:${com.amazonaws.version} |
| software.amazon.awssdk:bom:${software.amazon.awssdk.version} |
| com.fasterxml.jackson:jackson-bom:${jackson.bom.version} |
| org.xerial.snappy:snappy-java:1.1.10.7 |
| org.apache.logging.log4j:log4j-bom:${log4j2.version} |
| io.netty:netty-bom:${netty.4.version} |
| org.springframework:spring-framework-bom:${spring.version} |
| org.springframework.security:spring-security-bom:${spring.security.version} |
| com.squareup.okhttp3:okhttp-bom:${okhttp.version} |
| com.squareup.okio:okio:${okio.version} |
| com.squareup.okio:okio-fakefilesystem:${okio.version} |
| org.jetbrains.kotlin:kotlin-bom:${kotlin.version} |
| org.glassfish.jersey:jersey-bom:${jersey.bom.version} |
| jakarta.xml.bind:jakarta.xml.bind-api:${jakarta.xml.bind-api.version} |
| org.glassfish.jaxb:jaxb-runtime:${jaxb.runtime.version} |
| com.sun.activation:javax.activation:1.2.0 |
| javax.annotation:javax.annotation-api:1.3.2 |
| org.jsoup:jsoup:1.18.1 |
| com.github.ben-manes.caffeine:caffeine:${caffeine.version} |
| org.apache.commons:commons-dbcp2:${commons.dbcp2.version} |
| org.apache.zookeeper:zookeeper:${zookeeper.version} |
| org.apache.zookeeper:zookeeper-jute:${zookeeper.version} |
| org.apache.velocity:velocity-engine-core:${velocity-engine-core.version} |
| junit:junit:4.13.2 |
| org.junit.platform:junit-platform-commons:1.11.3 |
| org.junit.jupiter:junit-jupiter-api: |
| org.junit.jupiter:junit-jupiter-engine: |
| org.junit.jupiter:junit-jupiter-params: |
| org.mockito:mockito-core: |
| org.mockito:mockito-junit-jupiter: |
| org.junit.platform:junit-platform-commons: |
| org.slf4j:slf4j-simple: |
| com.puppycrawl.tools:checkstyle:10.18.2 |
| :: |
| :: |
| :: |
| :: |
| :: |
| :: |
| :: |