Apache NiFi versions from 0.0.1 up to but not including 2.10.0 support building qualified URLs from several HTTP request headers without validating values provided in alternative headers like X-ProxyHost and X-Forwarded-Host. While version 1.6.0 added validation for the Host header, it did not extend this to proxy-related headers, allowing clients to influence URL construction improperly. This origin validation error (CWE-346) can lead to the construction of invalid URLs used in redirection or data references. The issue is mitigated in Apache NiFi 2.10.0 by implementing validation for these headers based on the nifi.web.proxy.host property, which requires HTTPS configuration. Reverse proxy servers should filter and provide allowed header values to NiFi.

The vulnerability allows an attacker to supply crafted HTTP headers that influence the construction of qualified URLs by Apache NiFi web services. This can result in invalid URLs being generated for redirection or data references, potentially leading to security issues related to URL trust and origin validation. The CVSS 4.0 score of 6.3 indicates a medium severity impact with network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality and integrity, but some impact on availability and resource consumption.

Upgrade Apache NiFi to version 2.10.0 or later, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. This validation requires configuring the application with HTTPS. Additionally, ensure that reverse proxy servers in front of Apache NiFi filter input request headers and provide only allowed values to the application. Patch status is not explicitly confirmed in the advisory, but upgrading to 2.10.0 is the recommended mitigation.