BIT-NIFI-2024-56512 Apache NiFi: Missing Complete Authorization for Parameter and Service References

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2024-56512

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

Unauthorized Access

Apache NiFi is vulnerable to Unauthorized Access. The vulnerability is due to missing fine-grained authorization checks during Process Group creation, allowing attackers to access Parameter Contexts, Controller Services, and Parameter Providers without proper permissions...

Apache NiFi: Missing Complete Authorization for Parameter and Service References

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

GHSA-MPJ7-7MG7-X95J Apache NiFi: Missing Complete Authorization for Parameter and Service References

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2024-56512

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2024-56512

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2024-56512 Apache NiFi: Missing Complete Authorization for Parameter and Service References

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2024-56512

CVE-2024-56512 (Apache NiFi) affects NiFi 1.10.0–2.0.0, where creating a new Process Group omits fine‑grained authorization checks for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers. As a result, authenticated users with permission to create Process Groups ...

Apache NiFi 安全漏洞

Apache NiFi is a data processing and distribution system from the Apache USA Foundation. The system is primarily used for data routing, transformation, and system brokering logic. A security vulnerability exists in Apache NiFi versions 1.10.0 to 2.0.0, which stems from a lack of fine-grained...

PT-2024-10215 · Apache · Apache Nifi

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions 1.10.0 through 2.0.0 Description: The issue is related to missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers when creating new Process...

Apache NiFi H2 Connection String Remote Code Execution Exploit

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells 5-7. Successfully test...

Design/Logic Flaw

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission fo...

PT-2023-5706 · Apache · Apache Nifi

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions 0.0.2 through 1.22.0 Description: The issue is related to the Remote Resource Handler component of Apache NiFi, which is associated with incorrect code generation management. This can allow a remote attacker to execute...

GHSA-XM2M-2Q6H-22JW Apache NiFi vulnerable to Code Injection

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...

CVE-2023-34468 Apache NiFi: Potential Code Injection with Database Services using H2

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...

CVE-2023-34468 Apache NiFi: Potential Code Injection with Database Services using H2

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...

Apache NiFi process group information disclosure

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents at the top most level, not recursively. The response included details about processors and controller services which the user may not have had read access to...

Information Disclosure

nifi-web-api is vulnerable to information disclosure. The vulnerability exists as the response included details about processors and controller services even when the user does not have access to them...

Design/Logic Flaw

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents at the top most level, not recursively. The response included details about processors and controller services which the user may not have had read access to...