CVE-2020-9482

Name of the Vulnerable Software and Affected Versions NiFi Registry versions 0.1.0 through 0.5.0

Description The issue arises when NiFi Registry uses an authentication mechanism other than PKI. Upon clicking Log Out, NiFi Registry invalidates the authentication token on the client side but fails to do so on the server side. This allows the user's client-side token to be used for up to 12 hours after logging out, enabling unauthorized API requests to NiFi Registry.

Recommendations For NiFi Registry versions 0.1.0 through 0.5.0, consider implementing a server-side token invalidation mechanism to prevent unauthorized access after a user logs out. As a temporary workaround, restrict API requests for a period of up to 12 hours after a user logs out to minimize the risk of exploitation.