admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Synchronized data.

Browse Source
This commit is contained in:
CVE Team 2017-10-19 16:02:28 -04:00
parent 3aadbbc3c4
commit 9c4f1a88da
No known key found for this signature in database
GPG Key ID: 3504EC0FB4B2FE56
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2016/8xxx/CVE-2016-8748.json
View File

@ -38,7 +38,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1. 1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found here -- https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance. Credit: This issue was discovered by Matt Gilman."
"value" : "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM."
}
]
},

2
2017/5xxx/CVE-2017-5635.json
View File

@ -44,7 +44,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the \"anonymous\" user. Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here -- https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance."
"value" : "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the \"anonymous\" user."
}
]
},

2
2017/5xxx/CVE-2017-5636.json
View File

@ -44,7 +44,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here -- https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance. Credit: This issue was discovered by Andy LoPresto."
"value" : "In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node."
}
]
},