GitHub Advisory DatabaseGHSA-RCWJ-2HJ2-VMJJInsufficient Session Expiration in Apache NiFi Registry
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
43.9%
If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user’s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.nifi.registry:nifi-registry-web-api | le | 0.5.0 |
References
github.com/advisories/GHSA-rcwj-2hj2-vmjj
github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c
github.com/apache/nifi-registry/pull/259/commits/32f9352465e877d71ad7f85b70f2304ba620e133#diff-a72e640a2c41fe6fe8848066f6a588da2e9e76350bef287d7e145a231042c485
github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd
nifi.apache.org/registry-security.html#CVE-2020-9482
nvd.nist.gov/vuln/detail/CVE-2020-9482
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
43.9%