CVE-2020-9487

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.0.0 through 1.11.4

Description The issue concerns the NiFi download token mechanism, which uses a fixed cache size and does not authenticate requests to create download tokens. This allows an unauthenticated user to repeatedly request download tokens, thereby preventing legitimate users from doing so.

Recommendations For Apache NiFi versions 1.0.0 through 1.11.4, consider restricting access to the download token creation mechanism to authenticated users as a temporary workaround until a patch is available. Additionally, monitor the download token request rate to detect and prevent potential abuse. At the moment, there is no information about a newer version that contains a fix for this vulnerability.