CVE-2019-10083 – org.apache.nifi:nifi-web-api

Package

Manager: maven
Name: org.apache.nifi:nifi-web-api
Vulnerable Version: >=1.3.0 <1.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00266 pctl0.49851

Details

Apache NiFi process group information disclosure When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Metadata

Created: 2019-12-02T18:18:37Z
Modified: 2021-08-19T16:02:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-26p8-xrj2-mv53/GHSA-26p8-xrj2-mv53.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-26p8-xrj2-mv53
Finding: F038
Auto approve: 1