CVE-2022-26850Resource Exposure in Apache Nifi

CWE-668Resource ExposureCWE-522Insufficiently Protected Credentials5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
1.9%
top 16.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedApr 6
Latest updateJun 20

Description

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration with

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDapache/nifi1.14.01.16.0
CVEListV5apache_software_foundation/apache_nifiNiFi 1.14.0 to 1.15.3

🔴Vulnerability Details

3
OSV
Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils2022-06-20
GHSA
Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils2022-06-20
CVEList
Insufficiently protected credentials2022-04-06

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2022-26850
CVE-2022-26850 — Resource Exposure in Apache Nifi | cvebase