4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.0005 Low
EPSS
Percentile
17.3%
org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter
contains a local information disclosure vulnerability due to writing credentials (username and password) to a file that is readable by all other users on unix-like systems. On unix-like systems, the system’s temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.
An insecure temporary file is created here:
The username and password credentials are written to this file here:
The vulnerability has been patched in version 1.16
.
This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
Setting the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.
CPE | Name | Operator | Version |
---|---|---|---|
org.apache.nifi:nifi-single-user-utils | le | 1.15.3 |
www.openwall.com/lists/oss-security/2022/04/06/2
github.com/advisories/GHSA-rvp4-r3g6-8hxq
github.com/apache/nifi/commit/859d5fe
github.com/apache/nifi/commit/859d5fe8cfe05ad24600b021f0ebf15753a8105c
github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq
nifi.apache.org/security.html#CVE-2022-26850
nvd.nist.gov/vuln/detail/CVE-2022-26850
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.0005 Low
EPSS
Percentile
17.3%