Mark Payne

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions 1.3.0 through 1.9.2 Description: The issue allows unauthorized access to sensitive information when updating a Process Group via the API. The response to the request includes details about processors and controller services, which the user may not have had read access to. Recommendations: For Apache NiFi versions 1.3.0 through 1.9.2, consider restricting access to the API endpoint used for updating Process Groups until a fix is available. As a temporary workaround, limit the information included in the response to only what is necessary for the user's role, or apply access controls to sensitive details about processors and controller services.