CRITICAL🇬🇧 English

CVE-2017-5636

CVSS 9.8v3.0pub. 2017-10-19upd. 2026-05-13

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Nifi

    APP
    Apache
    0.7.00.7.11.1.01.1.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Deserialization
CWE
Referencje

Powiązane podatności

CVE-2018-1309CRITICAL9.8ten sam produkt

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information dis...

CVE-2017-15697CRITICAL9.8ten sam produkt

A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code co...

CVE-2026-44914HIGH7.5ten sam produkt

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extensio...

CVE-2026-39816HIGH7.5ten sam produkt

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute ...

CVE-2026-25903HIGH8.7ten sam produkt

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension ...