CVE-2022-33140

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.10.0 through 1.16.2 Apache NiFi Registry versions 0.6.0 through 1.16.2

Description The optional ShellUserGroupProvider does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. This issue requires the ShellUserGroupProvider to be enabled in the Authorizers configuration and an authenticated user with elevated privileges. Apache NiFi requires authorization to modify access policies, while Apache NiFi Registry requires authorization to read user groups to execute the command. The resolution involves removing command formatting based on user-provided arguments.

Recommendations For Apache NiFi versions 1.10.0 through 1.16.2, consider disabling the ShellUserGroupProvider until a patch is available. For Apache NiFi Registry versions 0.6.0 through 1.16.2, restrict access to the ShellUserGroupProvider to minimize the risk of exploitation. As a temporary workaround, remove command formatting based on user-provided arguments for both Apache NiFi and Apache NiFi Registry.