Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1811625&r1=1811624&r2=1811625&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Mon Oct 9 23:12:04 2017
@@ -150,6 +150,26 @@
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
+ <h2>Fixed in Apache NiFi 1.4.0</h2>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><b>CVE-2017-12623</b>: Apache NiFi XXE issue in template XML
upload</p>
+ <p>Severity: <b>Medium</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.3.0</li>
+ </ul>
+ </p>
+ <p>Description: An authorized user could upload a template which contained
malicious code and accessed sensitive files via an XML External Entity (XXE) attack. </p>
+ <p>Mitigation: The fix to properly handle XML External Entities was applied
on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the
appropriate release. </p>
+ <p>Credit: This issue was discovered by PaweÅ Gocyla. </p>
+ </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
<h2>Fixed in Apache NiFi 0.7.4 and 1.3.0</h2>
</div>
</div>
|