==================================================================== CERT-Renater Note d'Information No. 2020/VULN061 _____________________________________________________________________ DATE : 04/02/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache NiFi versions prior to 1.11.0. ===================================================================== http://mail-archives.apache.org/mod_mbox/nifi-dev/202001.mbox/%3cCAEhjM2BPMwhFcA9eodrtmmVfyXVpEKsN6ie5Sj0Q=BoKw8SOSg@mail.gmail.com%3e https://nifi.apache.org/security.html#CVE-2020-1928 https://nifi.apache.org/security.html#CVE-2020-1933 https://nifi.apache.org/security.html#CVE-2019-10768 _____________________________________________________________________ Apache NiFi Community, The https://nifi.apache.org/security.html page has been updated with 2 vulnerabilities discovered in previous NiFi versions which have been resolved in release 1.11.0. The severity of these were determined to be one 'high' and one 'moderate'. Dependency vulnerabilities that were patched have also been published. Questions about these vulnerabilities can be directed to security@nifi.apache.org. If you identify new security issues within the NiFi 1.11.0 release, please forward your report to security@nifi.apache.org and do not disclose the issue publicly. The security vulnerability reporting and disclosure process can be found here: https://www.apache.org/security/committers.html. Regards, Nathan _____________________________________________________________________ Fixed in Apache NiFi 1.11.0 Vulnerabilities CVE-2020-1928: Apache NiFi information disclosure by debug logging Severity: Moderate Versions Affected: Apache NiFi 1.10.0 Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto. CVE Link: Mitre Database: CVE-2020-1928 NiFi Jira: NIFI-6948 NiFi PR: PR 3935 Released: January 22, 2020 CVE-2020-1933: Apache NiFi XSS attack Severity: High Versions Affected: Apache NiFi 1.0.0 - 1.10.0 Description: Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. Mitigation: Sanitization of the error response ensures the XSS would not be executed. Users running a prior 1.x release should upgrade to the latest release. Credit: This issue was discovered by Jakub Palaczynski (ING Tech Poland). CVE Link: Mitre Database: CVE-2020-1933 NiFi Jira: NIFI-7023 NiFi PR: PR 3991 Released: January 22, 2020 Dependency Vulnerabilities CVE-2019-10768: Apache NiFi's AngularJS usage Severity: High Versions Affected: Apache NiFi 1.8.0 - 1.10.0 Description: An Object.prototype pollution vulnerability existed within the AngularJS dependency used by NiFi. See NIST NVD CVE-2019-10768 for more information. Mitigation: AngularJS was upgraded from 1.7.2 to 1.7.9 for the Apache NiFi 1.11.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was identified by Pierre Villard. CVE Link: Mitre Database: CVE-2019-10768 NiFi Jira: NIFI-6893 NiFi PR: PR 3899 Released: January 22, 2020 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================