Description

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Remediation

References

https://nifi.apache.org/security#CVE-2020-9487

Related Vulnerabilities

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2023-26471 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-macro

CVE-2020-2224 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

CVE-2023-37466 Vulnerability in maven package org.webjars.npm:vm2

CVE-2020-27178 Vulnerability in maven package org.apereo.cas:cas-server-support-otp-mfa-core

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Vendor Advisory