A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Nifi
APPApache1.0.0 – 1.4.0
Related vulnerabilities
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information dis...
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deser...
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extensio...
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute ...
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension ...