logo

Database

Authentication mechanism absence or evasion In org.apache.nifi:nifi-web-security

Description

Missing Authentication for Critical Function in Apache NiFi In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-94872. NVD-2020-94873. OSV-2020-94874. GCVE-2020-94875. nifi.apache.org

References

1. https://github.com/apache/nifi/pull/42712. https://github.com/apache/nifi/commit/01e42dfb3291c3a3549023edadafd2d8023f30423. https://nifi.apache.org/security#CVE-2020-9487

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.