GHSA-26p8-xrj2-mv53

Suggest an improvement
Source
https://github.com/advisories/GHSA-26p8-xrj2-mv53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-26p8-xrj2-mv53/GHSA-26p8-xrj2-mv53.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-26p8-xrj2-mv53
Aliases
Published
2019-12-02T18:18:37Z
Modified
2023-11-01T04:49:52.806638Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache NiFi process group information disclosure
Details

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2019-12-02T17:30:21Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Maven / org.apache.nifi:nifi-web-api

Package

Name
org.apache.nifi:nifi-web-api
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-web-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.10.0

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2

Maven / org.apache.nifi:nifi

Package

Name
org.apache.nifi:nifi
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.10.0

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2