PT-2019-11423 · Apache · Apache Nifi
Mark Payne
·
Published
2019-11-19
·
Updated
2020-01-24
·
CVE-2019-10083
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache NiFi versions 1.3.0 through 1.9.2
Description:
The issue allows unauthorized access to sensitive information when updating a Process Group via the API. The response to the request includes details about processors and controller services, which the user may not have had read access to.
Recommendations:
For Apache NiFi versions 1.3.0 through 1.9.2, consider restricting access to the API endpoint used for updating Process Groups until a fix is available. As a temporary workaround, limit the information included in the response to only what is necessary for the user's role, or apply access controls to sensitive details about processors and controller services.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi