The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
References
| Link | Resource |
|---|---|
| https://nifi.apache.org/security.html#CVE-2018-17193 | Vendor Advisory |
| https://nifi.apache.org/security.html#CVE-2018-17193 | Vendor Advisory |
Configurations
History
21 Nov 2024, 03:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://nifi.apache.org/security.html#CVE-2018-17193 - Vendor Advisory |
Information
Published : 2018-12-19 14:29
Updated : 2024-11-21 03:54
NVD link : CVE-2018-17193
Mitre link : CVE-2018-17193
CVE.ORG link : CVE-2018-17193
JSON object : View
Products Affected
apache
- nifi
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')