logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-26850 org.apache.nifi:nifi-single-user-utils

Package

Manager: maven
Name: org.apache.nifi:nifi-single-user-utils
Vulnerable Version: >=0 <1.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00762 pctl0.72449

Details

Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils ### Impact `org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter` contains a local information disclosure vulnerability due to writing credentials (username and password) to a file that is readable by all other users on unix-like systems. On unix-like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files. ### Source An insecure temporary file is created here: - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L75 The username and password credentials are written to this file here: - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L85-L95 ### Patches The vulnerability has been patched in version `1.16`. ### Prerequisites This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. ### Workarounds Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems. ### References - https://issues.apache.org/jira/browse/NIFI-9785 - https://github.com/apache/nifi/commit/859d5fe - https://github.com/apache/nifi/pull/5856 - https://nifi.apache.org/security.html#CVE-2022-26850 - https://twitter.com/JLLeitschuh/status/1511736635645435904?s=20&t=I3w3zF6Y2DUvWYsEFqERjg

Metadata

Created: 2022-06-20T22:33:41Z
Modified: 2023-08-08T20:30:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rvp4-r3g6-8hxq/GHSA-rvp4-r3g6-8hxq.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-rvp4-r3g6-8hxq
Finding: F035
Auto approve: 1