Cross-site Request Forgery (CSRF) Affecting org.apache.nifi:nifi-web-api package, versions [1.0.0, 1.8.0)


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHENIFI-72715
  • published 20 Dec 2018
  • disclosed 14 Sep 2018
  • credit Mike Colw

How to fix?

Upgrade org.apache.nifi:nifi-web-api to version 1.8.0 or higher.

Overview

org.apache.nifi:nifi-web-api is a system to process and distribute data.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.