Cross-site Request Forgery (CSRF) Affecting org.apache.nifi:nifi-web-api package, versions [1.0.0, 1.8.0)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Threat Intelligence

EPSS 0.05% (15^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHENIFI-72715
published 20 Dec 2018
disclosed 14 Sep 2018
credit Mike Colw

Report a new vulnerability Found a mistake?

Introduced: 14 Sep 2018

CVE-2018-17195 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade org.apache.nifi:nifi-web-api to version 1.8.0 or higher.

Overview

org.apache.nifi:nifi-web-api is a system to process and distribute data.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.