CVE-2022-26850

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-26850

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26850.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-26850

Aliases

GHSA-rvp4-r3g6-8hxq

Published

2022-04-06T18:15:09Z

Modified

2024-09-03T04:13:48.390378Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type: GIT
Repo: https://github.com/apache/nifi
Events: Introduced

fcbf1d5f975dd984e34f3a543b9480c779b0dc2f

Fixed

b019a9191f1c83bc7f547dc02c1b679b8936acee

Affected versions

nifi-1.*

nifi-1.14.0-RC2

nifi-1.15.0-RC3

rel/nifi-1.*

rel/nifi-1.14.0

rel/nifi-1.15.0