Lucene search

K
cve[email protected]CVE-2022-26850
HistoryApr 06, 2022 - 6:15 p.m.

CVE-2022-26850

2022-04-0618:15:09
CWE-668
web.nvd.nist.gov
77
apache nifi
cve-2022-26850
credentials
vulnerability
security
nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Affected configurations

NVD
Node
apachenifiRange1.14.01.16.0
CPENameOperatorVersion
apache:nifiapache nifilt1.16.0

CNA Affected

[
  {
    "product": "Apache NiFi",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "NiFi 1.14.0 to 1.15.3"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

Related for CVE-2022-26850