CVE-2022-26850

Name of the Vulnerable Software and Affected Versions Apache NiFi versions prior to 1.16.0

Description The issue arises when creating or updating credentials for single-user access in Apache NiFi. NiFi writes a copy of the Login Identity Providers configuration to the operating system temporary directory, which has global read permissions on most platforms. Although NiFi immediately moves the temporary file to the final configuration directory, limiting the window of opportunity for access, the vulnerability still exists. The org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter class contains a local information disclosure vulnerability due to writing credentials to a file readable by all other users on Unix-like systems.

Recommendations For versions prior to 1.16.0, update to Apache NiFi 1.16.0 or later to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. As a temporary workaround, consider setting the java.io.tmpdir system environment variable to a directory exclusively owned by the executing user to fix this vulnerability for all operating systems.