org.apache.nifi:nifi-bootstrap (>=1.14.0 <=1.15.3), org.apache.nifi:nifi-single-user-iaa-providers (>=1.14.0 <=1.15.3) +2 more potentially affected by CVE-2022-26850 via org.apache.nifi:nifi-single-user-utils (>=1.14.0 <=1.15.3)

org.apache.nifi:nifi-single-user-utils MAVEN version =1.14.0, =1.14.0, =1.14.0, =1.14.0, =1.14.0, =1.15.3 Source cves: CVE-2022-26850 Source advisory: OSV:GHSA-RVP4-R3G6-8HXQ...

CVE-2022-26850

creationtimestamp| type| source ---|---|--- 2022-04-06 22:30:33+00:00| seen| https://t.me/cibsecurity/40255 2024-01-28 06:12:42+00:00| seen| https://t.me/arpsyndicate/3228...

CVE-2022-26850

CVE-2022-26850 affects Apache NiFi (pre-1.16) where during creation/update of single-user credentials a copy of the Login Identity Providers configuration was written to the OS temporary directory, which often has global read permissions. The temporary file was moved to the final configuration di...

CVE-2022-26850 Insufficiently protected credentials

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the...