CVE-2019-10083 — Sensitive Information Exposure in Apache Nifi

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

1.2%

top 21.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedNov 19

Latest updateDec 2

Description

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/nifi1.3.0 — 1.9.2

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.3.0 to 1.9.2

🔴Vulnerability Details

OSV

Apache NiFi process group information disclosure↗2019-12-02

▶

GHSA

Apache NiFi process group information disclosure↗2019-12-02

▶

CVEList

CVE-2019-10083: When updating a Process Group via the API in NiFi versions 1↗2019-11-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2019-10083↗

▶