CVE-2023-41180

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41180

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41180.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41180

Published

2023-09-03T16:15:10Z

Modified

2025-01-14T11:57:02.361821Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS.

Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

References

https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y

Affected packages

Git / github.com/apache/nifi-minifi-cpp

Affected ranges

Type: GIT
Repo: https://github.com/apache/nifi-minifi-cpp
Events: Introduced

4389b9ac05e43e1dbf908e9014787d07c8a9cd05

Last affected

976b0a165387250a846d13e22b7084fa7c0fb9d3

Affected versions

minifi-cpp-0.*

minifi-cpp-0.13.0-RC1

minifi-cpp-0.13.0-RC2

minifi-cpp-0.14.0-RC1

rel/minifi-cpp-0.*

rel/minifi-cpp-0.13.0

rel/minifi-cpp-0.14.0