Base Score

MEDIUM5

CVE-2017-15703

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

VectorLOCAL

Published Bysecurity@apache.org

Published DateJan 25, 2018, 21:29

Affected Versions(1)

org.apache.nifi:nifi-framework-cluster-protocol(Maven)

Introduced0

Fixed1.5.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.nifi:nifi-framework-cluster-protocol(Maven)	0	1.5.0	N/A

Weakness Type (CWE):CWE-502

CVSS Metrics

Base Score

Vector String

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

https://nifi.apache.org/security.html#CVE-2017-15703

Base Score

MEDIUM5

Weakness Type (CWE):CWE-502

CVSS Metrics

Base Score

Vector String

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH