CVE-2017-15703

Опубликовано: 25 янв. 2018

Источник: nvd

CVSS3: 5

CVSS2: 3.5

EPSS Низкий

Описание

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Ссылки

https://nifi.apache.org/security.html#CVE-2017-15703
Vendor Advisory
https://nifi.apache.org/security.html#CVE-2017-15703
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.4.0 (включая)

EPSS

Процентиль: 58%

0.00377

Низкий

5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-xwx6-vmj4-5rv8