Description

Apache NiFi is a tool that automates the flow of data between systems. A default installation is served over HTTP and does not require authentication, meaning that all connections have administrative privileges.

It's recommended to restrict access Apache NiFi and enable authentication.

Remediation

It's recommended to restrict access Apache NiFi and enable authentication.

References

Metasploit Modules for RCE in Apache NiFi and Kong API Gateway

Related Vulnerabilities

Java Management Extensions (JMX/RMI) service detected

Devise weak password

Insecure Transportation Security Protocol Supported (SSLv2)

Oracle E-Business Suite iStore open user registration

CouchDB REST API publicly accessible

Severity

Medium

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Insecure Admin Access Configuration