First published: Tue Jan 23 2018(Updated: )
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache NiFi | <=1.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-12632 is a vulnerability in Apache NiFi that allows a malicious host header in an incoming HTTP request to cause NiFi to load resources from an external server.
CVE-2017-12632 affects Apache NiFi versions up to and including 1.4.0.
CVE-2017-12632 has a severity rating of 7.5 (High).
To fix CVE-2017-12632, users running a prior 1.x release of Apache NiFi should upgrade to the appropriate release, such as Apache NiFi 1.5.0, which includes the fix to sanitize host headers and compare to a controlled whitelist.
More information about CVE-2017-12632 can be found at the following link: [https://nifi.apache.org/security.html#CVE-2017-12632](https://nifi.apache.org/security.html#CVE-2017-12632)