CVE-2020-9487

CWE-306Missing Authentication5 documents5 sources
Severity
7.5HIGH
EPSS
0.6%
top 29.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Nifi
Timeline
PublishedOct 1
Latest updateJan 6

Description

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.nifi:nifi1.0.01.12.0-RC1
NVDapache/nifi1.0.01.11.4
CVEListV5apache_nifiApache NiFi 1.0.0 to 1.11.4

🔴Vulnerability Details

3
GHSA
Missing Authentication for Critical Function in Apache NiFi2022-01-06
OSV
Missing Authentication for Critical Function in Apache NiFi2022-01-06
CVEList
CVE-2020-9487: In Apache NiFi 12020-10-01

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2020-9487
CVE-2020-9487 (HIGH CVSS 7.5) | In Apache NiFi 1.0.0 to 1.11.4 | cvebase.io