PT-2023-6523 · Apache · Apache Nifi Minifi C++

Ferenc Gerlits

Publicado

2023-09-03

Atualizado

2023-09-08

CVE-2023-41180

CVSS v3.1

5.9

Média

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache NiFi MiNiFi C++ versions 0.13 through 0.14

Description The issue is related to incorrect certificate validation in the InvokeHTTP component, allowing an intermediary to present a forged certificate during TLS handshake negotiation. This occurs because the Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default when using HTTPS.

Recommendations For Apache NiFi MiNiFi C++ versions 0.13.0 or 0.14.0, set the Disable Peer Verification property of InvokeHTTP to true. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

Correção

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295

Identificadores relacionados

BDU:2023-07270

CVE-2023-41180

Produtos afetados

Apache Nifi Minifi C++

PT-2023-6523 · Apache · Apache Nifi Minifi C++

CVE-2023-41180

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7