Insufficiently protected credentials
CVE-2022-26850

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 6 April 2022

Summary

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Affected Version(s)

Apache NiFi NiFi 1.14.0 to 1.15.3

References

https://nifi.apache.org/security.html#CVE-2022-26850

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/04/06/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 6, 2022
Vulnerability Reserved
Mar 10, 2022

Credit

This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)