Jaeyeong Lee

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.20.0 through 2.6.0 **Description** The GetAsanaObject Processor in Apache NiFi utilizes a Distribute Map Cache Client Service for state management. This processor employs Java Object serialization and deserialization without adequate filtering, creating a potential for exploitation through crafted state information stored in the cache server. Successful exploitation requires access to the configured cache server and an Apache NiFi system running the GetAsanaObject Processor. **Recommendations** Upgrade to Apache NiFi version 2.7.0, which replaces Java Object serialization with JSON serialization. Remove the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle.