apache-nifi.advisories.yaml

schema-version: 2.0.2

package:
  name: apache-nifi

advisories:
  - id: CGA-24m5-8f5h-34wq
    aliases:
      - CVE-2022-3510
      - GHSA-4gg5-vx3j-xwc7
    events:
      - timestamp: 2024-05-17T01:00:41Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 97958e540399f5bc
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:08Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:53Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: bee580f749c1fcf8
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-2m2m-2659-48mq
    aliases:
      - CVE-2024-36124
      - GHSA-8wh2-6qhj-h7j9
    events:
      - timestamp: 2024-06-05T07:08:02Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: a71ee90dac251d6b
            componentName: snappy
            componentVersion: "0.4"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-25T13:31:51Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-11-07T13:10:50Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-2r92-crq9-6h8p
    aliases:
      - CVE-2024-47554
      - GHSA-78wr-2p64-hpwj
    events:
      - timestamp: 2024-10-04T08:05:57Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 2ac2475d6dc2d6fa
            componentName: commons-io
            componentVersion: 2.8.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hadoop-libraries-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-10-16T01:59:35Z
        type: pending-upstream-fix
        data:
          note: The transitive dependency commons-io v2.8.0 is found in [nifi-hadoop-libraries-nar](https://github.com/apache/nifi/blob/244400f54925a52e89ccf4f821b58a72ff9777a5/nifi-extension-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml) where commons-io is being brought in by [hadoop-client.](https://github.com/apache/nifi/blob/244400f54925a52e89ccf4f821b58a72ff9777a5/nifi-extension-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml#L29) The version is compiled based off of the parent [pom.xml’s definition](https://github.com/apache/nifi/blob/244400f54925a52e89ccf4f821b58a72ff9777a5/pom.xml#L145) of hadoop.version which requires upstream maintainers to update.
      - timestamp: 2024-11-07T13:10:48Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-2x43-4rcw-8pc3
    aliases:
      - CVE-2024-38809
      - GHSA-2rmj-mq67-h97g
    events:
      - timestamp: 2024-09-27T08:03:45Z
        type: fixed
        data:
          fixed-version: 1.27.0-r1

  - id: CGA-439m-2c4m-j5r4
    aliases:
      - CVE-2024-38808
      - GHSA-9cmq-m9j5-mvww
    events:
      - timestamp: 2024-08-21T07:08:11Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 90f3e8b59c206e7e
            componentName: spring-expression
            componentVersion: 5.3.37
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-email-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-08-30T16:24:47Z
        type: fixed
        data:
          fixed-version: 1.27.0-r1

  - id: CGA-448q-2j96-v6wq
    aliases:
      - CVE-2024-7254
      - GHSA-735f-pc8j-v9w8
    events:
      - timestamp: 2024-09-21T07:08:39Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 0be9c7dbb9336512
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hadoop-libraries-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-10-02T14:46:18Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-11-07T13:10:50Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-4f97-xch2-fqp3
    aliases:
      - CVE-2024-29025
      - GHSA-5jpm-x58v-624v
    events:
      - timestamp: 2024-05-17T01:00:47Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 470809a5bd5857e4
            componentName: netty-codec-http
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:12Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:35Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: d7f800220b1bc332
            componentName: netty-codec-http
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-4p9j-8g99-x3wm
    aliases:
      - CVE-2023-34462
      - GHSA-6mjq-h674-j845
    events:
      - timestamp: 2024-05-17T01:00:51Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 574e8fc180b6a82e
            componentName: netty-handler
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:07Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:56Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 8ed77b863efd3c00
            componentName: netty-handler
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-4phw-5934-cp4w
    aliases:
      - CVE-2024-29133
      - GHSA-9w38-p64v-xpmv
    events:
      - timestamp: 2024-05-17T01:01:03Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: a8206f409f686724
            componentName: commons-configuration2
            componentVersion: 2.1.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:14Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:14:50Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 1a4373e7adbd3c4e
            componentName: commons-configuration2
            componentVersion: 2.1.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-5mrq-75x2-g8hj
    aliases:
      - CVE-2024-30171
      - GHSA-v435-xc8x-wvr9
    events:
      - timestamp: 2024-05-17T01:01:45Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 5c53423d42f1274f
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:09Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:17:06Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 2e97ef63bb30e17c
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-5qc7-mgj3-whcp
    aliases:
      - CVE-2022-41881
      - GHSA-fx2c-96vj-985v
    events:
      - timestamp: 2024-05-17T01:01:06Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: bead1ce19c1ad2ac
            componentName: netty-codec-haproxy
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:14Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:02Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: a7a7af874a8de700
            componentName: netty-codec-haproxy
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-6h6p-w435-25j2
    aliases:
      - CVE-2023-46120
      - GHSA-mm8h-8587-p46h
    events:
      - timestamp: 2024-05-17T01:01:33Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: b411083892e89e35
            componentName: amqp-client
            componentVersion: 5.17.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-metrics-reporting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:06Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:16:32Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 514fc962f417faec
            componentName: amqp-client
            componentVersion: 5.17.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-metrics-reporting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-6jvc-fmj8-g22f
    aliases:
      - CVE-2024-29131
      - GHSA-xjp4-hw94-mvp5
    events:
      - timestamp: 2024-05-17T01:01:58Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: a8206f409f686724
            componentName: commons-configuration2
            componentVersion: 2.1.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:04Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:17:41Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 1a4373e7adbd3c4e
            componentName: commons-configuration2
            componentVersion: 2.1.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-6rmf-ffqm-f8vv
    aliases:
      - CVE-2024-25710
      - GHSA-4g9r-vxhx-9pgx
    events:
      - timestamp: 2024-05-17T01:00:40Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: eac3d3f5c1446699
            componentName: commons-compress
            componentVersion: "1.21"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:13Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:43Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6bfd1ff1bc97b9ff
            componentName: commons-compress
            componentVersion: "1.21"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-6xhq-ggm7-4q2r
    aliases:
      - CVE-2021-38153
      - GHSA-3j6g-hxx5-3q26
    events:
      - timestamp: 2024-05-17T01:00:37Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 5f0d2c78c1d4b43d
            componentName: kafka-clients
            componentVersion: 2.0.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-kafka-2-0-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:17Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:11Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 262f9922f1f6fd16
            componentName: kafka-clients
            componentVersion: 2.0.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-kafka-2-0-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-7m9h-6gc8-vcqq
    aliases:
      - CVE-2024-38821
      - GHSA-c4q5-6c82-3qpw
    events:
      - timestamp: 2024-10-29T09:16:02Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi-compat
            componentID: cbcac0d97bb75cf2
            componentName: spring-security-web
            componentVersion: 5.8.14
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-toolkit-current/lib/spring-security-web-5.8.14.jar
            scanner: grype
      - timestamp: 2024-11-07T13:10:46Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-7rjh-334q-pq8g
    aliases:
      - CVE-2020-8908
      - GHSA-5mg8-w23w-74h3
    events:
      - timestamp: 2024-05-17T01:00:49Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6c75ff4ffd67eac3
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:03Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:46Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 37e170556587a4bf
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-8223-gxg7-8cjf
    aliases:
      - CVE-2018-10237
      - GHSA-mvr2-9pj6-7w5j
    events:
      - timestamp: 2024-05-17T01:01:37Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6c75ff4ffd67eac3
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:02Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:16:43Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 37e170556587a4bf
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-88fx-6j2p-hrcp
    aliases:
      - CVE-2024-34447
      - GHSA-4h8f-2wvx-gg5w
    events:
      - timestamp: 2024-05-17T01:00:42Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 84cc2e3aa69dd2b2
            componentName: bcprov-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:18Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:04Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: de7aa4cf3030983a
            componentName: bcprov-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-8rr9-ww3c-5c97
    aliases:
      - CVE-2024-37389
      - GHSA-h658-qqv9-qwv8
    events:
      - timestamp: 2024-07-20T13:02:47Z
        type: fixed
        data:
          fixed-version: 1.27.0-r0

  - id: CGA-8vvp-pq4p-2hc6
    aliases:
      - CVE-2024-8184
      - GHSA-g8m5-722r-8whq
    events:
      - timestamp: 2024-10-15T09:10:33Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi-compat
            componentID: 6de63a7d575ec0f3
            componentName: jetty-server
            componentVersion: 9.4.54.v20240208
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-toolkit-current/lib/jetty-server-9.4.54.v20240208.jar
            scanner: grype

  - id: CGA-8wwh-mmvc-38jq
    aliases:
      - GHSA-crjg-w57m-rqqf
    events:
      - timestamp: 2024-07-24T07:07:31Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: ec2d95b8a62b475b
            componentName: dnsjava
            componentVersion: 2.1.7
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-07-30T15:52:20Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency (nifi-hbase_2-client-service-nar) which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-99xf-gfgx-9h82
    aliases:
      - CVE-2023-51775
      - GHSA-6qvw-249j-h44c
    events:
      - timestamp: 2024-05-17T01:00:54Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: d4be8c692b6a1124
            componentName: jose4j
            componentVersion: 0.9.3
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-box-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:05Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:14:07Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 754b07c2ecb0649c
            componentName: jose4j
            componentVersion: 0.9.3
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-box-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-9f5h-57xr-g74j
    aliases:
      - CVE-2024-26308
      - GHSA-4265-ccf5-phj5
    events:
      - timestamp: 2024-05-17T01:00:39Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: f6f208bf4083f0ba
            componentName: commons-compress
            componentVersion: "1.21"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:09Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:32Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6bfd1ff1bc97b9ff
            componentName: commons-compress
            componentVersion: "1.21"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-9v29-fwrv-3vmr
    aliases:
      - CVE-2023-33201
      - GHSA-hr8g-6v94-x4m9
    events:
      - timestamp: 2024-05-17T01:01:22Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 84cc2e3aa69dd2b2
            componentName: bcprov-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:01Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:57Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: de7aa4cf3030983a
            componentName: bcprov-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-9vjr-qmvr-wg48
    aliases:
      - CVE-2022-42004
      - GHSA-rgv9-q543-rqg4
    events:
      - timestamp: 2024-05-17T01:01:40Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 21fc915d6c30f277
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:18Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:16:54Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 493c4c2168709bf4
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-c6r7-g99h-mjx4
    aliases:
      - CVE-2024-36114
      - GHSA-973x-65j7-xcf4
    events:
      - timestamp: 2024-06-03T07:06:44Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: a98d96baa869de72
            componentName: aircompressor
            componentVersion: "0.21"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-parquet-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-25T13:31:51Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-11-07T13:10:45Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-cr64-vww2-xpq8
    aliases:
      - CVE-2022-42003
      - GHSA-jjjh-jjxp-wpff
    events:
      - timestamp: 2024-05-17T01:01:25Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 21fc915d6c30f277
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:08Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:16:09Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 493c4c2168709bf4
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-fgh7-phh7-cj6x
    aliases:
      - CVE-2021-46877
      - GHSA-3x8x-79m2-3w2w
    events:
      - timestamp: 2024-05-17T01:00:38Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 21fc915d6c30f277
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:11Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:22Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 493c4c2168709bf4
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-g8pm-vcpp-9jxq
    aliases:
      - CVE-2023-2976
      - GHSA-7g45-4rm6-3mm3
    events:
      - timestamp: 2024-05-17T01:00:58Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6c75ff4ffd67eac3
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:10Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:14:29Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 37e170556587a4bf
            componentName: guava
            componentVersion: 14.0.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-social-media-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-gph4-p2pw-xq8x
    aliases:
      - GHSA-xpw8-rcwv-8f8p
    events:
      - timestamp: 2024-05-17T01:02:02Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 9c9e19cf354e3083
            componentName: netty-codec-http2
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:10Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:17:53Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 8f2d1c5d5b4647c3
            componentName: netty-codec-http2
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-gvjp-vvhp-q286
    aliases:
      - CVE-2024-38820
      - GHSA-4gc7-5j7h-4qph
    events:
      - timestamp: 2024-10-19T07:08:47Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi-compat
            componentID: ec9b964e49bcc5b8
            componentName: spring-context
            componentVersion: 5.3.39
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-toolkit-current/lib/spring-context-5.3.39.jar
            scanner: grype
      - timestamp: 2024-10-30T11:44:12Z
        type: pending-upstream-fix
        data:
          note: Patched version 5.3.41 is not available publicly. It is only available through Sring Enterprise support - see https://spring.io/security/cve-2024-38820
      - timestamp: 2024-11-07T13:10:49Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-h8j8-9v3w-chjj
    aliases:
      - CVE-2021-22569
      - GHSA-wrvw-hg22-4m67
    events:
      - timestamp: 2024-05-17T01:01:53Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 97958e540399f5bc
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:16Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:17:29Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: b2974c9bac74ed01
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hadoop-libraries-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-hh56-m6x9-xqf5
    aliases:
      - CVE-2024-23454
      - GHSA-f5fw-25gw-5m92
    events:
      - timestamp: 2024-09-26T07:13:07Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 8efd7020313f6e8e
            componentName: hadoop-common
            componentVersion: 3.2.4
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-10-07T21:12:58Z
        type: pending-upstream-fix
        data:
          note: 'This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The most recent version of nifi-hbase_2-client-service-nar is implemented and can be found here: https://mvnrepository.com/artifact/org.apache.nifi/nifi-hbase_2-client-service-nar/1.27.0 The upstream maintainers must mitigate this CVE.'
      - timestamp: 2024-11-07T13:10:47Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-hvjw-cqfw-cqf3
    aliases:
      - CVE-2023-52428
      - GHSA-gvpg-vgmx-xg6w
    events:
      - timestamp: 2024-05-17T01:01:12Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 6c1946e0c8bdd4ce
            componentName: nimbus-jose-jwt
            componentVersion: "7.9"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:19Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:24Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 64d485ae245d4773
            componentName: nimbus-jose-jwt
            componentVersion: "7.9"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-j63r-xcw7-ppw8
    aliases:
      - CVE-2021-22570
      - GHSA-77rm-9x9h-xj3g
    events:
      - timestamp: 2024-05-17T01:00:56Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 97958e540399f5bc
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:12Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:14:18Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: bee580f749c1fcf8
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-jjwj-6v39-vh3f
    aliases:
      - CVE-2024-30172
      - GHSA-m44j-cfrm-g8qc
    events:
      - timestamp: 2024-05-17T01:01:29Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 5c53423d42f1274f
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:04Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:16:20Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 2e97ef63bb30e17c
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-jp8x-p2pf-pcp2
    aliases:
      - CVE-2020-25649
      - GHSA-288c-cq4h-88gq
    events:
      - timestamp: 2024-05-17T01:00:36Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 21fc915d6c30f277
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:15Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:12:01Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 493c4c2168709bf4
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-m9x3-8pwv-rjh3
    aliases:
      - CVE-2022-3509
      - GHSA-g5ww-5jh7-63cx
    events:
      - timestamp: 2024-05-17T01:01:09Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 97958e540399f5bc
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:06Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:13Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: bee580f749c1fcf8
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-mh4f-39hj-cv5p
    aliases:
      - CVE-2020-36518
      - GHSA-57j2-w4cx-62h2
    events:
      - timestamp: 2024-05-17T01:00:46Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 21fc915d6c30f277
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:17Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:25Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 493c4c2168709bf4
            componentName: jackson-databind
            componentVersion: 2.10.1
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hwx-schema-registry-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-mj2j-pchp-6q44
    aliases:
      - CVE-2024-6763
      - GHSA-qh8g-58pp-2wxh
    events:
      - timestamp: 2024-10-15T09:10:53Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi-compat
            componentID: 2d161de2c3143a1a
            componentName: jetty-http
            componentVersion: 9.4.54.v20240208
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-toolkit-current/lib/jetty-http-9.4.54.v20240208.jar
            scanner: grype
      - timestamp: 2024-10-24T17:33:13Z
        type: pending-upstream-fix
        data:
          note: 'Remediating this CVE would require 3 major version bumps, which all have breaking changes. This work was done as part of apache-nifi version 2.0.0, and therefore the fix will be released with that version. '
      - timestamp: 2024-11-07T13:10:45Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-q59c-5jjp-7wcw
    aliases:
      - CVE-2024-25638
      - GHSA-cfxw-4h78-h7fw
    events:
      - timestamp: 2024-07-24T07:07:11Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: ec2d95b8a62b475b
            componentName: dnsjava
            componentVersion: 2.1.7
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-07-30T15:52:20Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency (nifi-hbase_2-client-service-nar) which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-11-07T13:10:48Z
        type: fixed
        data:
          fixed-version: 2.0.0-r0

  - id: CGA-q8q6-vmh7-23q3
    aliases:
      - CVE-2022-41915
      - GHSA-hh82-3pmq-7frp
    events:
      - timestamp: 2024-05-17T01:01:19Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 470809a5bd5857e4
            componentName: netty-codec-http
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:00Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:46Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: d7f800220b1bc332
            componentName: netty-codec-http
            componentVersion: 4.1.84.Final
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-couchbase-services-api-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-q98p-rjg3-8jq7
    aliases:
      - CVE-2023-33202
      - GHSA-wjxj-5m7g-mg7q
    events:
      - timestamp: 2024-05-17T01:01:49Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 5c53423d42f1274f
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:02Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:17:18Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 2e97ef63bb30e17c
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-r5wx-5789-jqwq
    aliases:
      - CVE-2024-47561
      - GHSA-r7pg-v2c8-mfg3
    events:
      - timestamp: 2024-10-09T08:02:28Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: d316e789318e305f
            componentName: avro
            componentVersion: 1.11.3
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-avro-nar-1.27.0.nar
            scanner: grype

  - id: CGA-v5ww-c56j-4phc
    aliases:
      - CVE-2024-35255
      - GHSA-m5vv-6r4h-3vj9
    events:
      - timestamp: 2024-06-12T07:28:44Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 3ee24ec264f71a5d
            componentName: azure-identity
            componentVersion: 1.11.2
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/properties/azure-identity-1.11.2.jar
            scanner: grype
      - timestamp: 2024-06-25T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-vp49-2674-66w8
    aliases:
      - CVE-2016-1000027
      - GHSA-4wrc-f8pq-fpqp
    events:
      - timestamp: 2024-05-17T01:00:44Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: b5523a0d9d9e4ba1
            componentName: spring-web
            componentVersion: 5.3.34
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-framework-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: Remediating this CVE will require upgrading from Spring v5 to Spring v6, which is a major version increment with high risk. Awaiting for Upstream to migrate from Spring 5.3.x to 6.x
      - timestamp: 2024-05-17T16:32:13Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:13:15Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 02f9eb2f4f3ae4c7
            componentName: spring-web
            componentVersion: 5.3.34
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.34.jar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: Remediating this CVE will require upgrading from Spring v5 to Spring v6, which is a major version increment with high risk. Awaiting for Upstream to migrate from Spring 5.3.x to 6.x
      - timestamp: 2024-07-16T18:09:07Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'This CVE is disputed by upstream Spring Framework developers: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417. The Spring Framework provides an option to invoke ObjectInputStream (along with documented warnings). The presence of this capability in the Spring Framework doesn''t represent a vulnerability.'

  - id: CGA-vqqq-58x5-rqr9
    aliases:
      - CVE-2022-46337
      - GHSA-rcjc-c4pj-xxrp
    events:
      - timestamp: 2024-05-17T01:00:35Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 0716aeac20d45159
            componentName: derby
            componentVersion: 10.14.2.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-dbcp-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:03Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:11:51Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 522df897c26ce675
            componentName: derby
            componentVersion: 10.14.2.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-dbcp-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-vv6c-qmv8-86qc
    aliases:
      - GHSA-mmwx-rj87-vfgr
    events:
      - timestamp: 2024-07-24T07:07:50Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: ec2d95b8a62b475b
            componentName: dnsjava
            componentVersion: 2.1.7
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.27.0.nar
            scanner: grype
      - timestamp: 2024-07-30T15:52:20Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency (nifi-hbase_2-client-service-nar) which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-x9cj-c42r-f4mr
    aliases:
      - CVE-2024-29857
      - GHSA-8xfc-gm6g-vgpv
    events:
      - timestamp: 2024-05-17T01:01:01Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 5c53423d42f1274f
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:15Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:14:39Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 2e97ef63bb30e17c
            componentName: bcpkix-jdk18on
            componentVersion: "1.71"
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-scripting-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.

  - id: CGA-xp6q-2w42-9mfm
    aliases:
      - CVE-2022-3171
      - GHSA-h4h5-3hr4-j3g2
    events:
      - timestamp: 2024-05-17T01:01:15Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: 97958e540399f5bc
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-05-17T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.
      - timestamp: 2024-05-17T16:32:07Z
        type: fixed
        data:
          fixed-version: 1.26.0-r2
      - timestamp: 2024-05-29T07:15:35Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apache-nifi
            componentID: bee580f749c1fcf8
            componentName: protobuf-java
            componentVersion: 2.5.0
            componentType: java-archive
            componentLocation: /usr/share/nifi/nifi-current/lib/nifi-hbase_2-client-service-nar-1.26.0.nar
            scanner: grype
      - timestamp: 2024-06-09T08:31:36Z
        type: pending-upstream-fix
        data:
          note: This vulnerability exists within a pre-compiled dependency which nifi depends on, and we lack the ability to patch. The upstream maintainers must mitigate this CVE.