Vulnerability Details CVE-2017-15703
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.4%
CVSS Severity
CVSS v3 Score 5.0
CVSS v2 Score 3.5
References
Products affected by CVE-2017-15703
-
cpe:2.3:a:apache:nifi:1.0.0
-
cpe:2.3:a:apache:nifi:1.0.1
-
cpe:2.3:a:apache:nifi:1.1.0
-
cpe:2.3:a:apache:nifi:1.1.1
-
cpe:2.3:a:apache:nifi:1.1.2
-
cpe:2.3:a:apache:nifi:1.2.0
-
cpe:2.3:a:apache:nifi:1.3.0
-
cpe:2.3:a:apache:nifi:1.4.0