CVE-2020-9491 Information
Feb 14, 2021
cve
Description
In Apache NiFi 1.2.0 to 1.11.4 the NiFi UI and API were protected by mandating TLS v1.2 as well as listening connections established by processors like ListenHTTP HandleHttpRequest etc. However intracluster communication such as cluster request replication Site-to-Site and load balanced queues continued to support TLS v1.0 or v1.1.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Reference
https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@3Ccommits.nifi.apache.org3E https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@3Ccommits.nifi.apache.org3E https://nifi.apache.org/securityCVE-2020-9491
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
7.5
Share on: