GHSA-xwx6-vmj4-5rv8

Опубликовано: 25 окт. 2019

Источник: github

Github: Прошло ревью

CVSS3: 5

Описание

Denial of service via deserialization attack in nifi

A vulnerability found in Apache NIFI before 1.5.0-RC1. Attacker can perform XXE attacks through JAXB.

Ссылки

https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc

Пакеты

Наименование

org.apache.nifi:nifi-framework-cluster-protocol

maven

Затронутые версииВерсия исправления

< 1.5.0

1.5.0

EPSS

Процентиль: 58%

0.00377

Низкий

5 Medium

CVSS3

CVE ID

CVE-2017-15703

Дефекты

CWE-502

Связанные уязвимости

CVE-2017-15703

CVSS3: 5

nvd

больше 7 лет назад

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

EPSS

Процентиль: 58%

0.00377

Низкий

5 Medium

CVSS3

CVE ID

CVE-2017-15703

Дефекты

CWE-502