Description

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Remediation

References

https://nifi.apache.org/security#CVE-2020-9487

Related Vulnerabilities

CVE-2020-2264 Vulnerability in maven package org.jenkins-ci.plugins:custom-job-icon

CVE-2023-33943 Vulnerability in maven package com.liferay:com.liferay.account.admin.web

CVE-2022-23974 Vulnerability in maven package org.apache.pinot:pinot

CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty.ee10:jetty-ee10-servlets

CVE-2020-7238 Vulnerability in maven package io.netty:netty-all

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Vendor Advisory