nvd-json-data-feeds/CVE-2017/CVE-2017-156xx/CVE-2017-15697.json

{
  "id": "CVE-2017-15697",
  "sourceIdentifier": "security@apache.org",
  "published": "2018-01-23T22:29:00.337",
  "lastModified": "2018-02-12T16:15:01.923",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release."
    },
    {
      "lang": "es",
      "value": "Una cabecera X-ProxyContextPath o X-Forwarded-Context maliciosa que contenga recursos externos o c\u00f3digo embebido puede provocar la ejecuci\u00f3n remota de c\u00f3digo. La soluci\u00f3n para gestionar apropiadamente estas cabeceras se aplic\u00f3 en la distribuci\u00f3n 1.5.0 de Apache NiFi. Los usuarios que ejecuten una distribuci\u00f3n 1.x anterior deben actualizarla a la distribuci\u00f3n adecuada."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "1.0.0",
              "versionEndIncluding": "1.4.0",
              "matchCriteriaId": "B5699FDF-232B-4292-85C3-7835CAC2229B"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://nifi.apache.org/security.html#CVE-2017-15697",
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}