Cross-site Request Forgery (CSRF) Affecting org.apache.nifi:nifi-web-api package, versions [1.0.0, 1.8.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-ORGAPACHENIFI-72715
- published 20 Dec 2018
- disclosed 14 Sep 2018
- credit Mike Colw
How to fix?
Upgrade org.apache.nifi:nifi-web-api to version 1.8.0 or higher.
org.apache.nifi:nifi-web-api is a system to process and distribute data.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.