Description
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
Remediation
References
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
https://nifi.apache.org/security.html#CVE-2019-10083
Related Vulnerabilities
CVE-2020-2092 Vulnerability in maven package org.jenkins-ci.plugins:robot
CVE-2021-28655 Vulnerability in maven package org.apache.zeppelin:zeppelin
CVE-2019-10361 Vulnerability in maven package org.jenkins-ci.plugins.m2release:m2release
CVE-2018-1999020 Vulnerability in maven package org.onosproject:onos-core-common
CVE-2016-4433 Vulnerability in maven package org.apache.struts.xwork:xwork-core