CVE-2019-12421 — Insufficient Session Expiration in Apache Nifi

CWE-613 — Insufficient Session Expiration5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 31.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedNov 19

Latest updateDec 2

Description

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/nifi1.0.0 — 1.9.2

▶CVEListV5apache_software_foundation/apache_nifiApache NiFi 1.0.0 to 1.10.0

🔴Vulnerability Details

GHSA

Apache NiFi user log out issue↗2019-12-02

▶

OSV

Apache NiFi user log out issue↗2019-12-02

▶

CVEList

CVE-2019-12421: When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1↗2019-11-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2019-12421↗

▶