Vulnerability Details : CVE-2017-7665
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-7665
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:1.1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-7665
1.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-7665
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2017-7665
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-7665
-
http://www.securityfocus.com/bid/99009
Apache NiFi CVE-2017-7665 Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/d779d6129de1a5aa149c219b2fc6e9e78156614eaac92a89cbaf9bce@%3Cdev.nifi.apache.org%3E
[ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665 - Pony MailMailing List;Vendor Advisory
Jump to