This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/master by this push: new 351d43a Reconciled differing severity levels and fixed row formatting. 351d43a is described below commit 351d43abc780e2ff02b02a1e32bf15e4f88bfdb5 Author: Andy LoPresto <alopre...@apache.org> AuthorDate: Mon Feb 10 12:37:24 2020 -0800 Reconciled differing severity levels and fixed row formatting. --- src/pages/html/security.hbs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 8132837..c4c4705 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -88,14 +88,14 @@ title: Apache NiFi Security Reports </div> <div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> - <p><a id="CVE-2020-1928" href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi information disclosure by debug logging</p> + <p><a id="CVE-2020-1928" href="#CVE-2020-1928"><strong>CVE-2020-1928</strong></a>: Apache NiFi information disclosure in logs</p> <p>Severity: <strong>Moderate</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 1.10.0</li> </ul> </p> - <p>Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. </p> + <p>Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. </p> <p>Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. </p> <p>Credit: This issue was discovered by Andy LoPresto. </p> <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928" target="_blank">Mitre Database: CVE-2020-1928</a></p> @@ -107,7 +107,7 @@ title: Apache NiFi Security Reports <div class="row"> <div class="large-12 columns"> <p><a id="CVE-2020-1933" href="#CVE-2020-1933"><strong>CVE-2020-1933</strong></a>: Apache NiFi XSS attack</p> - <p>Severity: <strong>High</strong></p> + <p>Severity: <strong>Important</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 1.0.0 - 1.10.0</li> @@ -128,10 +128,10 @@ title: Apache NiFi Security Reports <h2><a id="1.11.0-dependency-vulnerabilities" href="#1.11.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2019-10768" href="#CVE-2019-10768"><strong>CVE-2019-10768</strong></a>: Apache NiFi's AngularJS usage</p> - <p>Severity: <strong>High</strong></p> + <p>Severity: <strong>Important</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 1.8.0 - 1.10.0</li> @@ -221,7 +221,7 @@ title: Apache NiFi Security Reports <div class="row"> <div class="large-12 columns"> <p><a id="CVE-2017-5637" href="#CVE-2017-5637"><strong>CVE-2017-5637, CVE-2016-5017, CVE-2018-8012</strong></a>: Apache NiFi's Zookeeper usage</p> - <p>Severity: <strong>High</strong></p> + <p>Severity: <strong>Important</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 1.0.0 - 1.9.2</li> @@ -369,13 +369,13 @@ title: Apache NiFi Security Reports <div class="row"> <div class="large-12 columns"> <p><a id="CVE-2018-17195" href="#CVE-2018-17195"><strong>CVE-2018-17195</strong></a>: Apache NiFi CSRF vulnerability in template upload API</p> - <p>Severity: <strong>Severe</strong></p> + <p>Severity: <strong>Critical</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 1.0.0 - 1.7.1</li> </ul> </p> - <p>Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a <strong>Severe</s [...] + <p>Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a <strong>Critical< [...] <p>Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Mike Cole. </p> <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195" target="_blank">Mitre Database: CVE-2018-17195</a></p> @@ -495,7 +495,7 @@ title: Apache NiFi Security Reports <div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2018-7489" href="#CVE-2018-7489"><strong>CVE-2018-7489</strong></a>, <a id="CVE-2017-7525" href="#CVE-2017-7525"><strong>CVE-2017-7525</strong></a>, and <a id="CVE-2017-15095" href="#CVE-2017-15095"><strong>CVE-2017-15095</strong></a>: Apache NiFi dependency vulnerability in FasterXML Jackson</p> - <p>Severity: <strong>Severe</strong></p> + <p>Severity: <strong>Critical</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 0.1.0 - 1.6.0</li> @@ -587,7 +587,7 @@ title: Apache NiFi Security Reports <div class="row"> <div class="large-12 columns"> <p><a id="CVE-2017-8028" href="#CVE-2017-8028"><strong>CVE-2017-8028</strong></a>: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability</p> - <p>Severity: <strong>Severe</strong></p> + <p>Severity: <strong>Critical</strong></p> <p>Versions Affected:</p> <ul> <li>Apache NiFi 0.1.0 - 1.5.0</li>