Apache · Apache Nifi Minifi C++ · CVE-2023-41180
**Name of the Vulnerable Software and Affected Versions**
Apache NiFi MiNiFi C++ versions 0.13 through 0.14
**Description**
The issue is related to incorrect certificate validation in the InvokeHTTP component, allowing an intermediary to present a forged certificate during TLS handshake negotiation. This occurs because the Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default when using HTTPS.
**Recommendations**
For Apache NiFi MiNiFi C++ versions 0.13.0 or 0.14.0, set the Disable Peer Verification property of InvokeHTTP to true.
Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.