In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
oryginał ENCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Nifi
APPApache0.7.00.7.11.1.01.1.1
Powiązane podatności
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information dis...
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code co...
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extensio...
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute ...
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension ...