This is an automated email from the ASF dual-hosted git repository.
thenatog pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/master by this push:
new 2f436b8 Error with previous commit. Fixing.
2f436b8 is described below
commit 2f436b820b3b9874fe26f1375714e4cee6f7c286
Author: Nathan Gough <[email protected]>
AuthorDate: Thu Jan 23 21:42:04 2020 -0500
Error with previous commit. Fixing.
---
src/pages/html/security.hbs | 148 ++++++++++----------------------------------
1 file changed, 32 insertions(+), 116 deletions(-)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 18fd3d3..3037ff3 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -47,159 +47,75 @@ title: Apache NiFi Security Reports
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
- <h2><a id="1.10.0" href="#1.10.0">Fixed in Apache NiFi 1.11.0</a></h2>
+ <h2><a id="1.11.0" href="#1.11.0">Fixed in Apache NiFi 1.11.0</a></h2>
</div>
</div>
<!-- Vulnerabilities -->
<div class="row">
<div class="large-12 columns features">
- <h2><a id="1.10.0-vulnerabilities"
href="#1.10.0-vulnerabilities">Vulnerabilities</a></h2>
+ <h2><a id="1.11.0-vulnerabilities"
href="#1.11.0-vulnerabilities">Vulnerabilities</a></h2>
</div>
</div>
<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
- <p><a id="CVE-2019-10080"
href="#CVE-2019-10080"><strong>CVE-2019-10080</strong></a>: Apache NiFi
information disclosure by XXE </p>
- <p>Severity: <strong>Low</strong></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.3.0 - 1.9.2</li>
- </ul>
- </p>
- <p>Description: The XMLFileLookupService allowed trusted users to
inadvertently configure a potentially malicious XML file. The XML file has the
ability to make external calls to services (via XXE) and reveal information
such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
</p>
- <p>Mitigation: A validator to ensure the XML file is not malicious was
applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release
should upgrade to the appropriate release. </p>
- <p>Credit: This issue was discovered by Shuibo Ye. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10080";
target="_blank">Mitre Database: CVE-2019-10080</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6301";
target="_blank">NIFI-6301</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3507";
target="_blank">PR 3507</a></p>
- <p>Released: November 4, 2019</p>
- </div>
-</div>
-<div class="row">
- <div class="large-12 columns">
- <p><a id="CVE-2019-12421"
href="#CVE-2019-12421"><strong>CVE-2019-12421</strong></a>: Apache NiFi user
log out issue</p>
+ <p><a id="CVE-2020-1928"
href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi
information disclosure by debug logging</p>
<p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
- <li>Apache NiFi 1.0.0 - 1.9.2</li>
+ <li>Apache NiFi 1.10.0 - 1.10.0</li>
</ul>
</p>
- <p>Description: If NiFi uses an authentication mechanism other than
PKI, when the user clicks Log Out, NiFi invalidates the authentication token on
the client side but not on the server side. This permits the user's client-side
token to be used for up to 12 hours after logging out to make API requests to
NiFi. </p>
- <p>Mitigation: The fix to invalidate the server-side authentication
token immediately after the user clicks 'Log Out' was applied on the Apache
NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the
appropriate release. </p>
- <p>Credit: This issue was discovered by Abdu Sahin. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12421";
target="_blank">Mitre Database: CVE-2019-12421</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6085";
target="_blank">NIFI-6085</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3362";
target="_blank">PR 3362</a></p>
- <p>Released: November 4, 2019</p>
+ <p>Description: The sensitive parameter parser would log parsed values
for debugging purposes. If the parameter was sensitive, it would be logged in
plaintext. </p>
+ <p>Mitigation: Removed debug logging from the class. Users running a
prior 1.x release should upgrade to the latest release. </p>
+ <p>Credit: This issue was discovered by Andy LoPresto. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928";
target="_blank">Mitre Database: CVE-2020-1928</a></p>
+ <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6948";
target="_blank">NIFI-6948</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3935";
target="_blank">PR 3935</a></p>
+ <p>Released: January 22, 2020</p>
</div>
</div>
-<div class="row" style="background-color: aliceblue">
+<div class="row">
<div class="large-12 columns">
- <p><a id="CVE-2019-10083"
href="#CVE-2019-10083"><strong>CVE-2019-10083</strong></a>: Apache NiFi process
group information disclosure</p>
- <p>Severity: <strong>Low</strong></p>
+ <p><a id="CVE-2020-1933"
href="#CVE-2020-1933"><strong>CVE-2020-1933</strong></a>: Apache NiFi XSS
attack</p>
+ <p>Severity: <strong>High</strong></p>
<p>Versions Affected:</p>
<ul>
- <li>Apache NiFi 1.3.0 - 1.9.2</li>
+ <li>Apache NiFi 1.0.0 - 1.10.0</li>
</ul>
</p>
- <p>Description: When updating a Process Group via the API, the
response to the request includes all of its contents (at the top most level,
not recursively). The response included details about processors and controller
services which the user may not have had read access to. </p>
- <p>Mitigation: Requests to update or remove the process group will no
longer return the contents of the process group in the response in Apache NiFi
1.10.0. Users running a prior 1.x release should upgrade to the appropriate
release. </p>
- <p>Credit: This issue was discovered by Mark Payne. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10083";
target="_blank">Mitre Database: CVE-2019-100833</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6302";
target="_blank">NIFI-6302</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3477";
target="_blank">PR 3477</a>, <a href="https://github.com/apache/nifi/pull/3487";
target="_blank">PR 3487</a></p>
- <p>Released: November 4, 2019</p>
+ <p>Description: Malicious scripts could be injected to the UI through
action by an unaware authenticated user in Firefox. Did not appear to occur in
other browsers.</p>
+ <p>Mitigation: Sanitization of the error response ensures the XSS
would not be executed. Users running a prior 1.x release should upgrade to the
latest release. </p>
+ <p>Credit: This issue was discovered by Jakub Palaczynski. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1933";
target="_blank">Mitre Database: CVE-2020-1933</a></p>
+ <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-7023";
target="_blank">NIFI-7023</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3991";
target="_blank">PR 3991</a></p>
+ <p>Released: January 22, 2020</p>
</div>
</div>
<!-- Dependency Vulnerabilities -->
<div class="row">
<div class="large-12 columns features">
- <h2><a id="1.10.0-dependency-vulnerabilities"
href="#1.10.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ <h2><a id="1.11.0-dependency-vulnerabilities"
href="#1.11.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
</div>
</div>
<div class="row">
<div class="large-12 columns">
- <p><a id="CVE-2017-5637" href="#CVE-2017-5637"><strong>CVE-2017-5637,
CVE-2016-5017, CVE-2018-8012</strong></a>: Apache NiFi's Zookeeper usage</p>
+ <p><a id="CVE-2019-10768"
href="#CVE-2019-10768"><strong>CVE-2019-10768</strong></a>: Apache NiFi's
AngularJS usage</p>
<p>Severity: <strong>High</strong></p>
<p>Versions Affected:</p>
<ul>
- <li>Apache NiFi 1.0.0 - 1.9.2</li>
- </ul>
- </p>
- <p>Description: Various vulnerabilities existed within the Zookeeper
dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-8012"; target="_blank">NIST NVD
CVE-2018-8012</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5637";
target="_blank">NIST NVD CVE-2017-5637</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-5017"; target="_blank">NIST NVD
CVE-2016-5017</a> for more information. </p>
- <p>Mitigation: The fix to upgrade the Zookeeper dependency from 3.4.6
to 3.5.5 was applied on the Apache NiFi 1.10.0 release. Users running a prior
1.x release should upgrade to the appropriate release. </p>
- <p>Credit: This issue was identified by Nathan Gough. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012";
target="_blank">Mitre Database: CVE-2018-8012</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637";
target="_blank">Mitre Database: CVE-2017-5637</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5017";
target="_blank">Mitre Database: CVE-2016-5017</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6578";
target="_blank">NIFI-6578</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3715";
target="_blank">PR 3715</a></p>
- <p>Released: November 4, 2019</p>
- </div>
- <div class="large-12 columns" style="background-color: aliceblue">
- <p><a id="CVE-2019-0193" href="#CVE-2019-0193"><strong>CVE-2019-0193,
CVE-2019-0192, CVE-2017-3164</strong></a>: Apache NiFi's Solr usage</p>
- <p>Severity: <strong>Critical</strong></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.0.0 - 1.9.2</li>
- </ul>
- </p>
- <p>Description: Various vulnerabilities existed within the Solr
dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-0193"; target="_blank">NIST NVD
CVE-2019-0193</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0192";
target="_blank">NIST NVD CVE-2019-0192</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-3164"; target="_blank">NIST NVD
CVE-2017-3164</a> for more information. </p>
- <p>Mitigation: The fix to upgrade the Solr dependency from 6.2.0 to
6.6.6 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x
release should upgrade to the appropriate release. </p>
- <p>Credit: This issue was identified by Nathan Gough. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0193";
target="_blank">Mitre Database: CVE-2019-0193</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192";
target="_blank">Mitre Database: CVE-2019-0192</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164";
target="_blank">Mitre Database: CVE-2017-3164</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6516";
target="_blank">NIFI-6516</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3629";
target="_blank">PR 3629</a></p>
- <p>Released: November 4, 2019</p>
- </div>
- <div class="large-12 columns">
- <p><a id="CVE-2019-16335"
href="#CVE-2019-16335"><strong>CVE-2019-16335, CVE-2019-14540, CVE-2019-14439,
CVE-2019-12814, CVE-2019-12384, CVE-2019-12086, CVE-2018-1000873,
CVE-2018-19362, CVE-2018-19361, CVE-2018-19360</strong></a>: Apache NiFi's
Jackson Core Databind usage</p>
- <p>Severity: <strong>Medium</strong></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.0.0 - 1.9.2</li>
- </ul>
- </p>
- <p>Description: Various vulnerabilities existed within the Jackson
Core: Databind dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-16335"; target="_blank">NIST NVD
CVE-2019-16335</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14540";
target="_blank">NIST NVD CVE-2019-14540</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-14439"; target="_blank">NIST NVD
CVE-2019-14439</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12814";
target [...]
- <p>Mitigation: The fix to upgrade the jackson-databind dependency from
2.9.7 to 2.9.10 was applied on the Apache NiFi 1.10.0 release. Users running a
prior 1.x release should upgrade to the appropriate release. </p>
- <p>Credit: This issue was identified by Pierre Villard and Nathan
Gough. </p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335";
target="_blank">Mitre Database: CVE-2019-16335</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540";
target="_blank">Mitre Database: CVE-2019-14540</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439";
target="_blank">Mitre Database: CVE-2019-14439</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814";
target="_blank">Mitre Datab [...]
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6709";
target="_blank">NIFI-6709</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3765";
target="_blank">PR 3765</a></p>
- <p>Released: November 4, 2019</p>
- </div>
- <div class="large-12 columns" style="background-color: aliceblue">
- <p><a id="CVE-2019-10247"
href="#CVE-2019-10247"><strong>CVE-2019-10247, CVE-2019-10246</strong></a>:
Apache NiFi's Jetty usage</p>
- <p>Severity: <strong>Medium</strong></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.8.0 - 1.9.2</li>
+ <li>Apache NiFi 1.8.0 - 1.10.0</li>
</ul>
</p>
- <p>Description: Various vulnerabilities existed within the Jetty
dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247"; target="_blank">NIST NVD
CVE-2019-10247</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10246";
target="_blank">NIST NVD CVE-2019-10246</a> for more information. </p>
- <p>Mitigation: The fix to upgrade the Jetty dependency from
9.4.11.v20180605 to 9.4.19.v20190610 was applied on the Apache NiFi 1.10.0
release. Users running a prior 1.x release should upgrade to the appropriate
release. </p>
- <p>Credit: This issue was identified by Jeff Storck and Nathan Gough.
</p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247";
target="_blank">Mitre Database: CVE-2019-10247</a>, <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246";
target="_blank">Mitre Database: CVE-2019-10246</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6330";
target="_blank">NIFI-6330</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3534";
target="_blank">PR 3534</a></p>
- <p>Released: November 4, 2019</p>
- </div>
- <div class="large-12 columns">
- <p><a id="CVE-2019-11358"
href="#CVE-2019-11358"><strong>CVE-2019-11358</strong></a>: Apache NiFi's
JQuery usage</p>
- <p>Severity: <strong>Medium</strong></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.6.0 - 1.9.2</li>
- </ul>
- </p>
- <p>Description: Various vulnerabilities existed within the JQuery
dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-11358"; target="_blank">NIST NVD
CVE-2019-11358</a> for more information. </p>
- <p>Mitigation: The fix to upgrade the JQuery dependency from 3.1.1 to
3.4.1 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x
release should upgrade to the appropriate release. </p>
- <p>Credit: This issue was identified by Matt Gilman and Rob Fellows.
</p>
- <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358";
target="_blank">Mitre Database: CVE-2019-11358</a></p>
- <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6316";
target="_blank">NIFI-6316</a></p>
- <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3489";
target="_blank">PR 3489</a></p>
- <p>Released: November 4, 2019</p>
+ <p>Description: An Object.prototype pollution vulnerability existed
within the AngularJS dependency used by NiFi. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-10768"; target="_blank">NIST NVD
CVE-2019-10768</a> for more information. </p>
+ <p>Mitigation: AngularJS was upgraded from 1.7.2 to 1.7.9 for the
Apache NiFi 1.11.0 release. Users running a prior 1.x release should upgrade to
the appropriate release. </p>
+ <p>Credit: This issue was identified by Pierre Villard. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768";
target="_blank">Mitre Database: CVE-2019-10768</a></p>
+ <p>NiFi Jira: <a
href="https://issues.apache.org/jira/browse/NIFI-6893";
target="_blank">NIFI-6893</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3899";
target="_blank">PR 3899</a></p>
+ <p>Released: January 22, 2020</p>
</div>
</div>
-
-
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
