In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
CVSS Score
7.5
EPSS Score
0.011
Published
2017-10-19
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
CVSS Score
9.8
EPSS Score
0.01
Published
2017-10-19
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-06-12
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-06-12
Page 2