[ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665
Apache NiFi PMC would like to announce the discovery and resolution of
CVE-2017-7667 and CVE-2017-7665. These issues have been resolved and new
versions of the Apache NiFi project were released in accordance with the
Apache Release Process.
Fixed in Apache NiFi 0.7.4 and 1.3.0
CVE-2017-7667: Apache NiFi XFS issue due to insufficient response headers
Description: There are certain user input components in the Apache NiFi UI
which had been guarding for some forms of XSS issues but were insufficient.
Mitigation: The fix for more complete user input sanitization will be
applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running
a prior 0.x or 1.x release should upgrade to the appropriate release.