Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-26850
HistoryApr 06, 2022 - 6:15 p.m.

CVE-2022-26850

2022-04-0618:15:09
CWE-668
[email protected]
web.nvd.nist.gov
77
apache nifi
cve-2022-26850
credentials
vulnerability
security
nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Affected configurations

NVD
Node
apachenifiRange1.14.01.16.0
CPENameOperatorVersion
apache:nifiapache nifilt1.16.0

CNA Affected

[
  {
    "product": "Apache NiFi",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "NiFi 1.14.0 to 1.15.3"
      }
    ]
  }
]

Related

osv 2
nvd 1
veracode 1
prion 1
github 1
cvelist 1
osv
osv
Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils
2022-06-20 22:33:41
CVE-2022-26850
2022-04-06 18:15:09
nvd
nvd
CVE-2022-26850
2022-04-06 18:15:09
veracode
veracode
Information Disclosure
2022-04-07 13:04:25
prion
prion
Design/Logic Flaw
2022-04-06 18:15:00
github
github
Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils
2022-06-20 22:33:41
cvelist
cvelist
CVE-2022-26850 Insufficiently protected credentials
2022-04-06 17:40:09

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON
Related for CVE-2022-26850
osv2nvd1veracode1prion1github1cvelist1