CVE-2020-9491

CWE-327Broken Cryptographic Algorithm5 documents5 sources
Severity
7.5HIGH
EPSS
1.3%
top 20.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Nifi
Timeline
PublishedOct 1
Latest updateJan 6

Description

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.nifi:nifi1.2.01.12.0-RC1
NVDapache/nifi1.0.01.11.4
CVEListV5apache_nifiApache NiFi 1.2.0 to 1.11.4

🔴Vulnerability Details

3
GHSA
Inadequate Encryption Strength in Apache NiFi2022-01-06
OSV
Inadequate Encryption Strength in Apache NiFi2022-01-06
CVEList
CVE-2020-9491: In Apache NiFi 12020-10-01

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2020-9491
CVE-2020-9491 (HIGH CVSS 7.5) | In Apache NiFi 1.2.0 to 1.11.4 | cvebase.io