Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-56512

CWE-638CWE-862Missing Authorization6 documents6 sources
Severity
2.1LOW
EPSS
29.2%
top 3.41%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedDec 28

Description

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled cl

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:P

Affected Packages3 packages

NVDapache/nifi1.10.02.1.0
Mavenorg.apache.nifi:nifi-web-api1.10.02.1.0
CVEListV5apache_software_foundation/apache_nifi1.10.02.0.0

🔴Vulnerability Details

3
OSV
Apache NiFi: Missing Complete Authorization for Parameter and Service References2024-12-28
CVEList
Apache NiFi: Missing Complete Authorization for Parameter and Service References2024-12-28
GHSA
Apache NiFi: Missing Complete Authorization for Parameter and Service References2024-12-28

💥Exploits & PoCs

1
Nuclei
Apache NiFi - Information Disclosure

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2024-56512