[MAVEN:GHSA-43FP-VWWG-QGV6] Apache NiFi Improper Input Validation vulnerability

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Package	Affected Version
pkg:maven/org.apache.nifi/nifi-framework-cluster	>= 1.0.0, <= 1.7.1

Package	Fixed Version
pkg:maven/org.apache.nifi/nifi-framework-cluster	= 1.8.0

ID: MAVEN:GHSA-43FP-VWWG-QGV6
Severity: high
URL: https://github.com/advisories/GHSA-43fp-vwwg-qgv6
Published: 2018-12-20T22:02:32
(5 years ago)
Modified: 2023-09-11T20:45:18
(12 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-17194
			https://nifi.apache.org/security.html#CVE-2018-17194
			https://github.com/apache/nifi/commit/1baead6f525046a613fc4fe494a0d193776ea70f,
			https://github.com/advisories/GHSA-43fp-vwwg-qgv6

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.nifi/nifi-framework-cluster	org.apache.nifi	nifi-framework-cluster	>= 1.0.0 <= 1.7.1
Fixed	pkg:maven/org.apache.nifi/nifi-framework-cluster	org.apache.nifi	nifi-framework-cluster	= 1.8.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date