Apache NiFi up to 1.11.4 UI/API Request inadequate encryption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability described as critical has been identified in Apache NiFi up to 1.11.4. This issue affects some unknown processing of the component UI/API. Such manipulation as part of Request leads to an unknown weakness. This vulnerability is listed as CVE-2020-9491. There is no available exploit.
Details
A vulnerability was found in Apache NiFi up to 1.11.4. It has been rated as critical. Affected by this issue is an unknown code block of the component UI/API. The manipulation as part of a Request leads to a unknown weakness. Using CWE to declare the problem leads to CWE-326. The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. The impact remains unknown. CVE summarizes:
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
The weakness was presented 10/01/2020 (Website). The advisory is shared for download at nifi.apache.org. This vulnerability is handled as CVE-2020-9491 since 03/01/2020. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1600.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
See VDB-162187 and VDB-162186 for similar entries. Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Vendor: https://www.apache.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.4VulDB Meta Temp Score: 6.4
VulDB Base Score: 5.3
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Inadequate encryptionCWE: CWE-326 / CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
03/01/2020 🔍10/01/2020 🔍
10/02/2020 🔍
11/15/2020 🔍
Sources
Vendor: apache.orgAdvisory: nifi.apache.org
Status: Not defined
CVE: CVE-2020-9491 (🔍)
GCVE (CVE): GCVE-0-2020-9491
GCVE (VulDB): GCVE-100-162188
See also: 🔍
Entry
Created: 10/02/2020 09:37Updated: 11/15/2020 15:00
Changes: 10/02/2020 09:37 (37), 10/02/2020 09:42 (2), 11/14/2020 09:36 (5), 11/15/2020 15:00 (15)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.