nifi-web-api does not properly handle the authentication tokens. When using an authentication mechanism other than PKI, nifi-web-api does not invalidate the server-side authentication tokens when the user clicks log out. This results in the session being valid for another 12 hours despite logging out.
CPE | Name | Operator | Version |
---|---|---|---|
nifi-web-api | le | 1.9.2 |
github.com/apache/nifi/commit/cf6f5172503ce438c6c22c334c9367f774db7b24
github.com/apache/nifi/pull/3362
issues.apache.org/jira/browse/NIFI-6085
lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
nifi.apache.org/security.html#CVE-2019-12421