PT-2023-6523 · Apache · Apache Nifi Minifi C++
Ferenc Gerlits
·
Published
2023-09-03
·
Updated
2023-09-08
·
CVE-2023-41180
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache NiFi MiNiFi C++ versions 0.13 through 0.14
Description
The issue is related to incorrect certificate validation in the InvokeHTTP component, allowing an intermediary to present a forged certificate during TLS handshake negotiation. This occurs because the Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default when using HTTPS.
Recommendations
For Apache NiFi MiNiFi C++ versions 0.13.0 or 0.14.0, set the Disable Peer Verification property of InvokeHTTP to true.
Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi Minifi C++