User Impersonation Affecting org.apache.nifi:nifi-web-security package, versions [0.7.0,0.7.2) [1.1.0,1.1.2)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.09% (39^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHENIFI-31439
published 21 May 2017
disclosed 10 Mar 2017
credit Andy LoPresto

Report a new vulnerability Found a mistake?

Introduced: 10 Mar 2017

CVE-2017-5636 Open this link in a new tab CWE-290 Open this link in a new tab

Overview

org.apache.nifi:nifi-web-security

Affected versions of this package are vulnerable to User Impersonation. An attacker could carefully craft a username to impersonate another user and gain their permissions on a replicated request to another node, via the the proxy chain serialization/deserialization functions as they are vulnerable to an injection attack. This only occurs in a cluster environment.

User Impersonation Affecting org.apache.nifi:nifi-web-security package, versions [0.7.0,0.7.2) [1.1.0,1.1.2)

Snyk CVSS

Threat Intelligence

Introduced: 10 Mar 2017

Overview

References