Arpad Boda

**Name of the Vulnerable Software and Affected Versions** Apache NiFi MiNiFi C++ versions 0.5.0 through 0.9.x **Description** The c2 protocol in Apache NiFi MiNiFi C++ implements an "agent-update" command designed to patch the application binary. This command defaults to calling a trusted binary but can be modified to an arbitrary value through a "c2-update" command. The modified command is then executed with the same privileges as the application binary. **Recommendations** For versions 0.5.0 through 0.9.x, update to version 0.10.0 to address the issue. As a temporary workaround, consider restricting access to the "c2-update" command to prevent modification of the "agent-update" command until a patch is applied.