| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| The vulnerability of the New Process Group Handler component in the Apache NiFi data processing platform allows a hacker to gain unauthorized access to read, modify, or delete data. | 21 Jan 202500:00 | – | bdu_fstec | |
| CVE-2024-56512 | 28 Dec 202406:51 | – | circl | |
| Apache NiFi 安全漏洞 | 28 Dec 202400:00 | – | cnnvd | |
| CVE-2024-56512 | 28 Dec 202416:18 | – | cve | |
| CVE-2024-56512 Apache NiFi: Missing Complete Authorization for Parameter and Service References | 28 Dec 202416:18 | – | cvelist | |
| Apache NiFi: Missing Complete Authorization for Parameter and Service References | 28 Dec 202418:30 | – | github | |
| CVE-2024-56512 | 28 Dec 202417:15 | – | nvd | |
| BIT-NIFI-2024-56512 Apache NiFi: Missing Complete Authorization for Parameter and Service References | 12 Sep 202511:47 | – | osv | |
| GHSA-MPJ7-7MG7-X95J Apache NiFi: Missing Complete Authorization for Parameter and Service References | 28 Dec 202418:30 | – | osv | |
| PT-2024-10215 · Apache · Apache Nifi | 26 Dec 202400:00 | – | ptsecurity |
id: CVE-2024-56512
info:
name: Apache NiFi - Information Disclosure
author: DhiyaneshDK
severity: medium
description: |
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.
impact: |
Attackers can create Process Groups bound to Parameter Contexts without proper authorization checks, enabling them to download non-sensitive parameter values and potentially access sensitive configuration data.
remediation: |
Update Apache NiFi to version 2.1.0 or later to address the missing authorization checks for Parameter Contexts.
reference:
- https://lists.apache.org/thread/cjc8fns5kjsho0s7vonlnojokyfx47wn
- http://www.openwall.com/lists/oss-security/2024/12/28/1
- https://github.com/absholi7ly/CVE-2024-56512-Apache-NiFi-Exploit/
- https://nvd.nist.gov/vuln/detail/CVE-2024-56512
classification:
cve-id: CVE-2024-56512
epss-score: 0.03095
epss-percentile: 0.8615
metadata:
verified: true
max-request: 1
shodan-query: title:"Nifi"
tags: cve,cve2024,nifi,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}{{path}}"
payloads:
path:
- /nifi-api/flow/process-groups/root
- /nifi-api/controller/config
matchers-condition: or
matchers:
- type: dsl
name: process-group-information
dsl:
- 'contains(content_type, "application/json")'
- 'contains_all(body, "processGroupFlow", "breadcrumb")'
- 'status_code == 200'
condition: and
- type: dsl
name: config-information
dsl:
- 'contains(content_type, "application/json")'
- 'contains_all(body, "maxTimerDrivenThreadCount", "maxEventDrivenThreadCount")'
- 'status_code == 200'
condition: and
# digest: 490a00463044022032d0e605ae8cef7cca41455f7e09d4e2dc6e6c2982f946573262c5cfbb64e5a602200d2867fd3a25e83cfb2aa9bba88736ec428dc7df0bcb2052e553e0a1863aee47:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation