CVE-2018-17194: Apache NiFi Improper Input Validation vulnerability
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78123%
CWE
Published
12/20/2018
Updated
3/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.nifi:nifi-framework-cluster | maven | >= 1.0.0, <= 1.7.1 | 1.8.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper Content-Length handling during DELETE request replication. The patch introduced the 'checkContentLengthHeader' function to validate()
/override this header, which is called from prepareRequest
. In vulnerable versions, prepareRequest
lacked this validation, making it the entry point for the flawed logic. The function's responsibility to prepare HTTP requests without proper input validation directly enabled the vulnerability.