CVE-2020-9491 – org.apache.nifi:nifi

Package

Manager: maven
Name: org.apache.nifi:nifi
Vulnerable Version: >=1.2.0 <1.12.0-rc1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02825 pctl0.85624

Details

Inadequate Encryption Strength in Apache NiFi In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Metadata

Created: 2022-01-06T20:41:06Z
Modified: 2022-04-29T20:27:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-rfmp-jvr7-hx78/GHSA-rfmp-jvr7-hx78.json
CWE IDs: ["CWE-327"]
Alternative ID: GHSA-rfmp-jvr7-hx78
Finding: F052
Auto approve: 1