nifi · threatengine.sh

CVE-2026-39816

>= 2.0.0 and < 2.9.0

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permis

8.8HIGH

CVE-2026-25903

>= 1.1.0 and < 2.8.0

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have

6.6MEDIUM

CVE-2025-66524

>= 1.20.0 and < 2.7.0

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute M

8.8HIGH

CVE-2025-27017

>= 1.13.0 and < 2.3.0

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance event

6.5MEDIUM

CVE-2024-56512

>= 1.10.0 and < 2.1.0

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Ser

5.4MEDIUM

CVE-2024-52067

>= 1.16.0 and < 1.28.1

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during

4.9MEDIUM

CVE-2024-45477

>= 1.10.0 and <= 1.27.0

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context

4.6MEDIUM

CVE-2024-37389

>= 1.10.0 and < 1.27.0

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration

4.6MEDIUM

CVE-2023-49145

>= 0.7.0 and < 1.24.0

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface

7.9HIGH

CVE-2023-40037

>= 1.21.0 and < 1.23.1

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection U

6.5MEDIUM

CVE-2023-36542

>= 0.0.2 and <= 1.22.0

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving driver

8.8HIGH

CVE-2023-34468

>= 0.0.2 and < 1.22.0

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated a

8.8HIGH

CVE-2023-34212

>= 1.8.0 and <= 1.21.0

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0

6.5MEDIUM

CVE-2023-22832

>= 1.2.0 and <= 1.19.1

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow co

7.5HIGH

CVE-2022-33140

>= 1.10.0 and <= 1.16.2

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize a

8.8HIGH

CVE-2022-29265

>= 0.0.1 and <= 1.16.0

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. Th

7.5HIGH

CVE-2022-26850

>= 1.14.0 and < 1.16.0

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configurati

4.3MEDIUM

CVE-2021-44145

>= 0.1.0 and < 1.15.1

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it include

6.5MEDIUM

CVE-2020-27223

all versions

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multi

5.2MEDIUM

CVE-2021-20190

>= 1.7.0 and <= 1.12.1

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typin

8.1HIGH

CVE-2020-9491

>= 1.0.0 and <= 1.11.4

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections establi

7.5HIGH

CVE-2020-9487

>= 1.0.0 and <= 1.11.4

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenti

7.5HIGH

CVE-2020-9486

>= 1.0.0 and <= 1.11.4

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values.

7.5HIGH

CVE-2020-13940

>= 1.0.0 and <= 1.11.4

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects all

5.5MEDIUM

CVE-2020-1942

>= 0.0.1 and <= 1.11.0

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descrip

7.5HIGH

CVE-2020-1933

>= 1.0.0 and <= 1.10.0

A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an u

6.1MEDIUM

CVE-2020-1928

all versions

An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values fo

5.3MEDIUM

CVE-2019-12421

>= 1.0.0 and <= 1.9.2

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalida

8.8HIGH

CVE-2019-10083

>= 1.3.0 and <= 1.9.2

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its content

5.3MEDIUM

CVE-2019-10080

>= 1.3.0 and <= 1.9.2

The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious

6.5MEDIUM

CVE-2019-10086

all versions

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker

7.3HIGH

CVE-2018-17195

>= 1.0.0 and <= 1.7.1

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the m

7.5HIGH

CVE-2018-17194

>= 1.0.0 and <= 1.7.1

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forw

7.5HIGH

CVE-2018-17193

>= 1.0.0 and <= 1.7.1

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a

6.1MEDIUM

CVE-2018-17192

>= 1.0.0 and <= 1.6.0

The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers

6.5MEDIUM

CVE-2018-1310

< 1.6.0

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of servic

7.5HIGH

CVE-2018-1309

< 1.6.0

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote co

9.8CRITICAL

CVE-2017-15703

>= 1.0.0 and <= 1.4.0

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious co

5.0MEDIUM

CVE-2017-15697

>= 1.0.0 and <= 1.4.0

A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote cod

9.8CRITICAL

CVE-2017-12632

<= 1.4.0

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitiz

7.5HIGH

CVE-2017-5636

all versions

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulner

9.8CRITICAL

CVE-2017-5635

all versions

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another n

7.5HIGH

CVE-2016-8748

<= 1.0.0

In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog whe

5.4MEDIUM

CVE-2017-12623

all versions

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity

6.5MEDIUM

CVE-2017-7667

<= 0.7.3

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with th

7.5HIGH

CVE-2017-7665

<= 0.7.3

In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for so

6.1MEDIUM

apache nifi