Authentication Flaw in NiFi Registry Software by Apache
CVE-2020-9482

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi Registry
Vendor: CVE Published:; 28 April 2020

Summary

In the NiFi Registry versions ranging from 0.1.0 to 0.5.0, a significant security issue exists due to improper handling of authentication tokens. When users log out while using an authentication method other than Public Key Infrastructure (PKI), the system invalidates the token only on the client side. As a result, users' tokens remain valid on the server side for up to 12 hours post-logout. This enables unauthorized API requests using the stale token, posing a critical risk to data security and integrity.

Affected Version(s)

Apache NiFi Registry 0.1.0 to 0.5.0

References

https://nifi.apache.org/registry-security.html#CVE-2020-9482

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 28, 2020
Vulnerability Reserved
Mar 1, 2020