CVE-2024-56512

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.10.0 through 2.0.0

Description The issue is related to missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers when creating new Process Groups. This allows clients to download non-sensitive Parameter values after creating the Process Group and enables clients to create Process Groups and use these components that were otherwise unauthorized. The scope is limited to authenticated users authorized to create Process Groups and deployments with component-based authorization policies.

Recommendations Upgrading to Apache NiFi 2.1.0 is the recommended mitigation, which includes authorization checking for Parameter and Controller Service references on Process Group creation.