CVE-2018-17195 – Apache NiFi Template Upload API Endpoint Cross-Site Request Forgery Vulnerability

Preface: What Is Big Data and Why Do We Need It?

A complex reason of this question. In short sentence to describe, business and human being looking for operational efficiency to improve the daily life.

Technical background of Apache NiFi:
Apache NiFi can help you get your S3 data storage into proper shape for analytic processing with EMR, Hadoop, Drill, and other tools.
Drill is primarily focused on non-relational datastores, including Hadoop, NoSQL and cloud storage.

Vulnerability found on Apache NiFi:
A vulnerability in the template upload API endpoint of Apache NiFi could allow an unauthenticated, adjacent attacker to conduct a cross-site request forgery (CSRF) attack on a targeted system which could be used to conduct further attacks.

Reason: The vulnerability is due to improper validation of user-supplied input by the template upload API endpoint used by the affected software.

Remedy: Official announcement shown as below