CVE-2017-7665 - OpenCVE

In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Nifi

Configuration 1 [-]

OR	cpe:2.3:a:apache:nifi::::::::
	cpe:2.3:a:apache:nifi:1.0.0:::::::*
	cpe:2.3:a:apache:nifi:1.0.1:::::::*
	cpe:2.3:a:apache:nifi:1.1.0:::::::*
	cpe:2.3:a:apache:nifi:1.1.1:::::::*
	cpe:2.3:a:apache:nifi:1.1.2:::::::*
	cpe:2.3:a:apache:nifi:1.2.0:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/99009
https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-06-12T16:00:00

Updated: 2024-08-05T16:12:27.928Z

Reserved: 2017-04-11T00:00:00

Link: CVE-2017-7665

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-06-12T16:29:00.217

Modified: 2023-11-07T02:50:14.203

Link: CVE-2017-7665

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "0.0.1 to 0.7.3"}, {"status": "affected", "version": "1.0.0 to 1.2.0"}]}], "datePublic": "2017-06-11T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-13T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "99009", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99009"}, {"name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2017-7665", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache NiFi", "version": {"version_data": [{"version_value": "0.0.1 to 0.7.3"}, {"version_value": "1.0.0 to 1.2.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "99009", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99009"}, {"name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:12:27.928Z"}, "title": "CVE Program Container", "references": [{"name": "99009", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99009"}, {"name": "[dev] 20170611 [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-7665", "datePublished": "2017-06-12T16:00:00", "dateReserved": "2017-04-11T00:00:00", "dateUpdated": "2024-08-05T16:12:27.928Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "matchCriteriaId": "956E1F75-9430-4031-B908-2DFFA7CE22B8", "versionEndIncluding": "0.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C028889E-44E8-4E54-9585-BF9B0EED5A9A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "06D38C76-98D2-41F1-9F0B-CEE05215AB4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "01B8572D-CA8D-4A41-B94A-A393A22B5B9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "76FDA5E5-6A45-4979-9317-75623A59089F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "DF1BEC26-CB83-4209-893D-5EA6E08A0C4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "A509533F-ACD6-4290-BE2E-3EDBED60D43B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient."}, {"lang": "es", "value": "En Apache NiFi anterior a versi\u00f3n 0.7.4 y versi\u00f3n 1.x anterior a 1.3.0, se presentan ciertos componentes de entrada de usuario en la interfaz de usuario (UI) que hab\u00edan estado protegiendo algunas formas de XSS reflejado pero fueron insuficientes."}], "id": "CVE-2017-7665", "lastModified": "2023-11-07T02:50:14.203", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-12T16:29:00.217", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99009"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce%40%3Cdev.nifi.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}