Excessive Information Disclosure in Apache NiFi API during Process Group Updates
CVE-2019-10083

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 19 November 2019

Summary

In Apache NiFi, a vulnerability exists when updating a Process Group via the API in versions 1.3.0 to 1.9.2. The API response inadvertently includes extensive details regarding processors and controller services, potentially revealing sensitive information to users who lack the necessary read permissions. This flaw can lead to unauthorized visibility into system configurations, risking data confidentiality.

Affected Version(s)

Apache NiFi Apache NiFi 1.3.0 to 1.9.2

References

https://nifi.apache.org/security.html#CVE-2019-10083

x_refsource_CONFIRM

https://lists.apache.org/thread.html/rca37935d661f4689cb4...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2019
Vulnerability Reserved
Mar 26, 2019