WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2020-9491 Vulnerability in maven package org.apache.nifi:nifi-bootstrap

Description

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Remediation

References

https://nifi.apache.org/security#CVE-2020-9491

https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E

Related Vulnerabilities

CVE-2012-4534 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2011-4605 Vulnerability in maven package org.jboss.naming:jnpserver

CVE-2015-0250 Vulnerability in maven package org.apache.xmlgraphics:batik-dom

CVE-2023-32995 Vulnerability in maven package io.jenkins.plugins:miniorange-saml-sp

CVE-2012-3373 Vulnerability in maven package org.apache.wicket:wicket-request

Severity

High

Classification

CWE-327 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory