CVE-2019-12421

Name of the Vulnerable Software and Affected Versions NiFi versions 1.0.0 through 1.9.2

Description The issue occurs when using an authentication mechanism other than PKI. After a user clicks Log Out, NiFi invalidates the authentication token on the client side but fails to do so on the server side. This allows the client-side token to be used for up to 12 hours after logging out, enabling unauthorized API requests to NiFi.

Recommendations For NiFi versions 1.0.0 through 1.9.2, consider implementing a server-side token invalidation mechanism to prevent unauthorized access after a user logs out. As a temporary workaround, restrict API requests from clients that have logged out to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.