Main Vulnerability Database Vulnerabilities #VU13036

Deserialization of untrusted data in Apache Nifi - CVE-2018-1310

Published: May 24, 2018 / Updated: May 29, 2018

Vulnerability identifier: #VU13036

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-1310

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Nifi

Detailed vulnerability description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to unsafe deserialization of Java Message Service (JMS) content by an ActiveMQ client affected by the vulnerability identified as CVE-2015-5254. A remote attacker can send a specially crafted request that submits malicious JMS content and cause the affected software to become unresponsive or crash, resulting in a DoS condition.

How to mitigate CVE-2018-1310

Update to version 1.6.

Sources

https://nifi.apache.org/security.html#CVE-2018-1310

Deserialization of untrusted data in Apache Nifi - CVE-2018-1310

Detailed vulnerability description

How to mitigate CVE-2018-1310

Sources

Please verify you're human