Apache NiFi PMC would like to announce the discovery and resolution of CVE-2017-7667 and CVE-2017-7665. These issues have been resolved and new versions of the Apache NiFi project were released in accordance with the Apache Release Process.
Fixed in Apache NiFi 0.7.4 and 1.3.0 CVE-2017-7667: Apache NiFi XFS issue due to insufficient response headers Severity: Important Versions Affected: Apache NiFi 0.0.1 - 0.7.3 Apache NiFi 1.0.0 - 1.2.0 Description: Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin. Mitigation: The fix to set this response header will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Matt Gilman. CVE-2017-7665: Apache NiFi XSS issue on certain user input components Severity: Important Versions Affected: Apache NiFi 0.0.1 - 0.7.3 Apache NiFi 1.0.0 - 1.2.0 Description: There are certain user input components in the Apache NiFi UI which had been guarding for some forms of XSS issues but were insufficient. Mitigation: The fix for more complete user input sanitization will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Matt Gilman.