Cross-site Request Forgery (CSRF) Affecting org.apache.nifi:nifi-web-api Open this link in a new tab package, versions [1.0.0, 1.8.0)

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    20 Dec 2018

  • disclosed

    14 Sep 2018

  • credit

    Mike Colw

How to fix?

Upgrade org.apache.nifi:nifi-web-api to version 1.8.0 or higher.


org.apache.nifi:nifi-web-api is a system to process and distribute data.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.