Apache NiFi 1.3.0 – 1.9.2 cyber flaws released

Overview :
Multiple flaws was discovered in NiFi versions 1.3.0 to 1.9.2
Affected Product(s) :
  • Apache NiFi 1.3.0 – 1.9.2
Vulnerability Details :
CVE ID : CVE-2019-12421
If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user’s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

Mitigation : The fix to invalidate the server-side authentication token immediately after the user clicks ‘Log Out’ was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CVE ID : CVE-2019-10083
When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Mitigation : Requests to update or remove the process group will no longer return the contents of the process group in the response in Apache NiFi 1.10.0. Users running a prior 1.x release should upgrade to the appropriate release.

CVE ID : CVE-2019-10080
The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Mitigation : A validator to ensure the XML file is not malicious was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Solution :

Apache has released update packages for all affected products listed above.

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-3270 : FESTO VTEM-S1 INSUFFICIENT TECHNICAL DOCUMENTATION

CVE-2022-3270 : FESTO VTEM-S1 INSUFFICIENT TECHNICAL DOCUMENTATION

Description In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead

CVE-2022-4221 : ASUS NAS-M25 UP TO 1.0.1.7 COOKIE OS COMMAND INJECTION

CVE-2022-4221 : ASUS NAS-M25 UP TO 1.0.1.7 COOKIE OS COMMAND INJECTION

Description Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Asus NAS-M25 allows an

CVE-2022-45045 : XIONGMAI MBD6304T/NBD6808T-PL JSON FILE DESERIALIZATION

CVE-2022-45045 : XIONGMAI MBD6304T/NBD6808T-PL JSON FILE DESERIALIZATION

Description Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root,