GHSA-rfmp-jvr7-hx78

Suggest an improvement
Source
https://github.com/advisories/GHSA-rfmp-jvr7-hx78
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-rfmp-jvr7-hx78/GHSA-rfmp-jvr7-hx78.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rfmp-jvr7-hx78
Aliases
Published
2022-01-06T20:41:06Z
Modified
2023-11-01T04:53:50.246068Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Inadequate Encryption Strength in Apache NiFi
Details

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Database specific
{
    "nvd_published_at": "2020-10-01T20:15:00Z",
    "github_reviewed_at": "2021-03-29T16:50:01Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-327"
    ]
}
References

Affected packages

Maven / org.apache.nifi:nifi

Package

Name
org.apache.nifi:nifi
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.12.0-RC1

Affected versions

1.*

1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4

Database specific

{
    "last_known_affected_version_range": "<= 1.11.4"
}