Insufficient Session Expiration in Apache NiFi Registry

2022-02-0900:23:06

Google

osv.dev

0.001 Low

EPSS

Percentile

43.9%

JSON

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user’s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

CPENameOperatorVersion
org.apache.nifi.registry:nifi-registry-web-apieq0.3.0
org.apache.nifi.registry:nifi-registry-web-apieq0.5.0
org.apache.nifi.registry:nifi-registry-web-apieq0.1.0
org.apache.nifi.registry:nifi-registry-web-apieq0.4.0
org.apache.nifi.registry:nifi-registry-web-apieq0.2.0

Name	Operator	Version
org.apache.nifi.registry:nifi-registry-web-api	eq	0.3.0
org.apache.nifi.registry:nifi-registry-web-api	eq	0.5.0
org.apache.nifi.registry:nifi-registry-web-api	eq	0.1.0
org.apache.nifi.registry:nifi-registry-web-api	eq	0.4.0
org.apache.nifi.registry:nifi-registry-web-api	eq	0.2.0

References

github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c

github.com/apache/nifi-registry/pull/259/commits/32f9352465e877d71ad7f85b70f2304ba620e133#diff-a72e640a2c41fe6fe8848066f6a588da2e9e76350bef287d7e145a231042c485

github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd

nifi.apache.org/registry-security.html#CVE-2020-9482

nvd.nist.gov/vuln/detail/CVE-2020-9482