logo

Database

Insecure encryption algorithm In org.apache.nifi:nifi

Description

Inadequate Encryption Strength in Apache NiFi In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-94912. NVD-2020-94913. OSV-2020-94914. GCVE-2020-9491

References

1. https://github.com/apache/nifi/commit/441781cec50f77d9f1e65093f55bbd614b8c5ec62. https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E3. https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E4. https://nifi.apache.org/security#CVE-2020-9491

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.