Description
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Remediation
References
https://nifi.apache.org/security#CVE-2020-9487
Related Vulnerabilities
CVE-2019-10416 Vulnerability in maven package org.jenkins-ci.plugins:violation-comments-to-gitlab
CVE-2018-15531 Vulnerability in maven package net.bull.javamelody:javamelody-core
CVE-2020-6468 Vulnerability in npm package electron
CVE-2010-3718 Vulnerability in maven package tomcat:catalina
CVE-2011-2732 Vulnerability in maven package org.springframework.security:spring-security-core