Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1811625&r1=1811624&r2=1811625&view=diff ============================================================================== --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Oct 9 23:12:04 2017 @@ -150,6 +150,26 @@ <div class="medium-space"></div> <div class="row"> <div class="large-12 columns features"> + <h2>Fixed in Apache NiFi 1.4.0</h2> + </div> +</div> +<div class="row"> + <div class="large-12 columns"> + <p><b>CVE-2017-12623</b>: Apache NiFi XXE issue in template XML upload</p> + <p>Severity: <b>Medium</b></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 1.0.0 - 1.3.0</li> + </ul> + </p> + <p>Description: An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. </p> + <p>Mitigation: The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> + <p>Credit: This issue was discovered by PaweÅ Gocyla. </p> + </div> +</div> +<div class="medium-space"></div> +<div class="row"> + <div class="large-12 columns features"> <h2>Fixed in Apache NiFi 0.7.4 and 1.3.0</h2> </div> </div>
