Vulnerabilities > CVE-2018-1310 - Deserialization of Untrusted Data vulnerability in Apache Nifi

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

apache

CWE-502

NVD

Published: 2018-05-23

Updated: 2018-06-26

Summary

Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Nifi 0.2.1 Apache Nifi 0.3.0 Apache Nifi 0.4.0 Apache Nifi 0.4.1 Apache Nifi 0.5.0 Apache Nifi 0.5.1 Apache Nifi 0.6.0 Apache Nifi 0.6.1 Apache Nifi 0.7.0 Apache Nifi 0.7.1 Apache Nifi 0.7.2 Apache Nifi 0.7.3 Apache Nifi 0.7.4 Apache Nifi 1.0.0 Apache Nifi 1.0.1 Apache Nifi 1.1.0 Apache Nifi 1.1.1 Apache Nifi 1.1.2 Apache Nifi 1.2.0 Apache Nifi 1.3.0 Apache Nifi 1.4.0 Apache Nifi 1.5.0	71

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://nifi.apache.org/security.html#CVE-2018-1310