CVE-2018-17193

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-17193

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17193.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-17193

Aliases

GHSA-4qq9-rrq6-48ff

Published

2018-12-19T14:29:00Z

Modified

2024-09-03T02:06:46.081563Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

References

https://nifi.apache.org/security.html#CVE-2018-17193

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type: GIT
Repo: https://github.com/apache/nifi
Events: Introduced

74d5224783dfdc513f6b3ad5ed96671d3c581707

Last affected

241e5411a24435ca2c39ab7bea1c5eb9ed195cb3

Affected versions

docker/nifi-1.*

docker/nifi-1.2.0

nifi-1.*

nifi-1.0.0-RC1

nifi-1.1.0-RC2

nifi-1.2.0-RC2

nifi-1.3.0-RC1

nifi-1.5.0-RC1

nifi-1.6.0-RC3

nifi-1.7.0-RC1

nifi-1.7.1-RC1

rel/nifi-1.*

rel/nifi-1.0.0

rel/nifi-1.1.0

rel/nifi-1.2.0

rel/nifi-1.3.0

rel/nifi-1.4.0

rel/nifi-1.5.0

rel/nifi-1.6.0

rel/nifi-1.7.0

rel/nifi-1.7.1