Release Notes
Also available as:
PDF

Common Vulnerabilities and Exposures

The following CVEs have been fixed in HDF 3.3.0:

CVE-2014-0193

Component: Apache NiFi

Description: A vulnerability in the netty library could cause denial of service. See NIST NVD CVE-2014-0193 or netty release announcement for more information.

Severity: Low

Versions Affected: Apache NiFi 1.0.0 - 1.7.1

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2014-0193

CVE-2018-17192

Component: Apache NiFi

Description: The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

Severity: Low

Versions Affected: Apache NiFi 1.0.0 - 1.6.0

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17192

CVE-2018-17193

Component: Apache NiFi

Description: The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack.

Severity: Moderate

Versions Affected: Apache NiFi 1.0.0 - 1.7.1

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17193

CVE-2018-17194

Component: Apache NiFi

Description: When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Lengthwas forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout.

Severity: Moderate

Versions Affected: Apache NiFi 1.0.0 - 1.7.1

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17194

CVE-2018-17195

Component: Apache NiFi

Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.

Severity: Severe

Versions Affected: Apache NiFi 1.0.0 - 1.7.1

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2018-17195