CVE-2019-10083

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 19 November 2019

Summary

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Affected Version(s)

Apache NiFi Apache NiFi 1.3.0 to 1.9.2

References

https://nifi.apache.org/security.html#CVE-2019-10083

x_refsource_CONFIRM

https://lists.apache.org/thread.html/rca37935d661f4689cb4...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2019
Vulnerability Reserved
Mar 26, 2019