CVE-2020-9487

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-9487
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-9487.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-9487
Aliases
Published
2020-10-01T20:15:14Z
Modified
2024-09-03T03:35:40.007059Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type
GIT
Repo
https://github.com/apache/nifi
Events

Affected versions

docker/nifi-1.*

docker/nifi-1.2.0

nifi-1.*

nifi-1.0.0-RC1
nifi-1.1.0-RC2
nifi-1.10.0-RC3
nifi-1.11.0-RC3
nifi-1.11.1-RC1
nifi-1.11.2-RC1
nifi-1.11.3-RC1
nifi-1.11.4-RC1
nifi-1.2.0-RC2
nifi-1.3.0-RC1
nifi-1.5.0-RC1
nifi-1.6.0-RC3
nifi-1.7.0-RC1
nifi-1.8.0-RC3
nifi-1.9.0-RC2

rel/nifi-1.*

rel/nifi-1.0.0
rel/nifi-1.1.0
rel/nifi-1.10.0
rel/nifi-1.11.0
rel/nifi-1.11.1
rel/nifi-1.11.2
rel/nifi-1.11.3
rel/nifi-1.11.4
rel/nifi-1.2.0
rel/nifi-1.3.0
rel/nifi-1.4.0
rel/nifi-1.5.0
rel/nifi-1.6.0
rel/nifi-1.7.0
rel/nifi-1.8.0
rel/nifi-1.9.0

support/nifi-1.*

support/nifi-1.11.1