Description
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Remediation
References
https://nifi.apache.org/security#CVE-2020-9487
Related Vulnerabilities
CVE-2018-20677 Vulnerability in maven package org.webjars.bower:bootstrap-sass
CVE-2023-26476 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
CVE-2015-2582 Vulnerability in maven package org.keycloak:keycloak-saml-core
CVE-2021-22144 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2019-10474 Vulnerability in maven package org.jenkins-ci.plugins:global-post-script