nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alopre...@apache.org
Subject svn commit: r1811625 [3/3] - in /nifi/site/trunk: assets/js/foundation.js assets/stylesheets/app.css security.html
Date Mon, 09 Oct 2017 23:12:04 GMT
Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1811625&r1=1811624&r2=1811625&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Mon Oct  9 23:12:04 2017
@@ -150,6 +150,26 @@
 <div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">
+        <h2>Fixed in Apache NiFi 1.4.0</h2>
+    </div>
+</div>
+<div class="row">
+    <div class="large-12 columns">
+        <p><b>CVE-2017-12623</b>: Apache NiFi XXE issue in template XML
upload</p>
+        <p>Severity: <b>Medium</b></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 1.0.0 - 1.3.0</li>
+        </ul>
+        </p>
+        <p>Description: An authorized user could upload a template which contained
malicious code and accessed sensitive files via an XML External Entity (XXE) attack. </p>
+        <p>Mitigation: The fix to properly handle XML External Entities was applied
on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the
appropriate release. </p>
+        <p>Credit: This issue was discovered by Paweł Gocyla. </p>
+    </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+    <div class="large-12 columns features">
         <h2>Fixed in Apache NiFi 0.7.4 and 1.3.0</h2>
     </div>
 </div>



Mime
View raw message