This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/master by this push:
new 351d43a Reconciled differing severity levels and fixed row formatting.
351d43a is described below
commit 351d43abc780e2ff02b02a1e32bf15e4f88bfdb5
Author: Andy LoPresto <[email protected]>
AuthorDate: Mon Feb 10 12:37:24 2020 -0800
Reconciled differing severity levels and fixed row formatting.
---
src/pages/html/security.hbs | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 8132837..c4c4705 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -88,14 +88,14 @@ title: Apache NiFi Security Reports
</div>
<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
- <p><a id="CVE-2020-1928"
href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi
information disclosure by debug logging</p>
+ <p><a id="CVE-2020-1928"
href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi
information disclosure in logs</p>
<p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.10.0</li>
</ul>
</p>
- <p>Description: The sensitive parameter parser would log parsed values
for debugging purposes. This would expose literal values entered in a sensitive
property when no parameter was present. </p>
+ <p>Description: The sensitive parameter parser would log parsed
property descriptor values for debugging purposes. This would expose literal
values entered in a sensitive property when no parameter was present. </p>
<p>Mitigation: Removed debug logging from the class. Users running the
1.10.0 release should upgrade to the latest release. </p>
<p>Credit: This issue was discovered by Andy LoPresto. </p>
<p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928";
target="_blank">Mitre Database: CVE-2020-1928</a></p>
@@ -107,7 +107,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2020-1933"
href="#CVE-2020-1933"><strong>CVE-2020-1933</strong></a>: Apache NiFi XSS
attack</p>
- <p>Severity: <strong>High</strong></p>
+ <p>Severity: <strong>Important</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.10.0</li>
@@ -128,10 +128,10 @@ title: Apache NiFi Security Reports
<h2><a id="1.11.0-dependency-vulnerabilities"
href="#1.11.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2019-10768"
href="#CVE-2019-10768"><strong>CVE-2019-10768</strong></a>: Apache NiFi's
AngularJS usage</p>
- <p>Severity: <strong>High</strong></p>
+ <p>Severity: <strong>Important</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.8.0 - 1.10.0</li>
@@ -221,7 +221,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-5637" href="#CVE-2017-5637"><strong>CVE-2017-5637,
CVE-2016-5017, CVE-2018-8012</strong></a>: Apache NiFi's Zookeeper usage</p>
- <p>Severity: <strong>High</strong></p>
+ <p>Severity: <strong>Important</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.9.2</li>
@@ -369,13 +369,13 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2018-17195"
href="#CVE-2018-17195"><strong>CVE-2018-17195</strong></a>: Apache NiFi CSRF
vulnerability in template upload API</p>
- <p>Severity: <strong>Severe</strong></p>
+ <p>Severity: <strong>Critical</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.7.1</li>
</ul>
</p>
- <p>Description: The template upload API endpoint accepted requests
from different domain when sent in conjunction with ARP spoofing + meddler in
the middle (MITM) attack, resulting in a CSRF attack. The required attack
vector is complex, requiring a scenario with client certificate authentication,
same subnet access, and injecting malicious code into an unprotected (plaintext
HTTP) website which the targeted user later visits, but the possible damage
warranted a <strong>Severe</s [...]
+ <p>Description: The template upload API endpoint accepted requests
from different domain when sent in conjunction with ARP spoofing + meddler in
the middle (MITM) attack, resulting in a CSRF attack. The required attack
vector is complex, requiring a scenario with client certificate authentication,
same subnet access, and injecting malicious code into an unprotected (plaintext
HTTP) website which the targeted user later visits, but the possible damage
warranted a <strong>Critical< [...]
<p>Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS)
policy request filtering was applied on the Apache NiFi 1.8.0 release. Users
running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Mike Cole. </p>
<p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195";
target="_blank">Mitre Database: CVE-2018-17195</a></p>
@@ -495,7 +495,7 @@ title: Apache NiFi Security Reports
<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2018-7489"
href="#CVE-2018-7489"><strong>CVE-2018-7489</strong></a>, <a id="CVE-2017-7525"
href="#CVE-2017-7525"><strong>CVE-2017-7525</strong></a>, and <a
id="CVE-2017-15095" href="#CVE-2017-15095"><strong>CVE-2017-15095</strong></a>:
Apache NiFi dependency vulnerability in FasterXML Jackson</p>
- <p>Severity: <strong>Severe</strong></p>
+ <p>Severity: <strong>Critical</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 0.1.0 - 1.6.0</li>
@@ -587,7 +587,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-8028"
href="#CVE-2017-8028"><strong>CVE-2017-8028</strong></a>: Apache NiFi LDAP TLS
issue because of Spring Security LDAP vulnerability</p>
- <p>Severity: <strong>Severe</strong></p>
+ <p>Severity: <strong>Critical</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 0.1.0 - 1.5.0</li>
