CVE-2019-10083 Information

Description

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2 the response to the request includes all of its contents (at the top most level not recursively). The response included details about processors and controller services which the user may not have had read access to.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@3Ccommits.nifi.apache.org3E https://nifi.apache.org/security.htmlCVE-2019-10083

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3