Miggo Logo

CVE-2019-10083: Apache NiFi process group information disclosure

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.49927%
Published
12/2/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.nifi:nifi-web-apimaven>= 1.3.0, < 1.10.01.10.0
org.apache.nifi:nifimaven>= 1.3.0, < 1.10.01.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from API endpoints returning full process group details including unauthorized child components. The primary entry point would be the ProcessGroupResource.updateProcessGroup controller method that handles PUT requests. This method likely called service layer methods like ProcessGroupService.getProcessGroup that retrieved complete entity data. The pre-patch implementation didn't perform sufficient authorization checks on contained components when serializing the response. Runtime detection would observe these functions in call stacks when processing process group update requests that expose sensitive components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n up**tin* * Pro**ss *roup vi* t** *PI in Ni*i v*rsions *.*.* to *.*.*, t** r*spons* to t** r*qu*st in*lu**s *ll o* its *ont*nts (*t t** top most l*v*l, not r**ursiv*ly). T** r*spons* in*lu*** **t*ils **out pro**ssors *n* *ontroll*r s*rvi**s w*i**

Reasoning

T** vuln*r**ility st*ms *rom *PI *n*points r*turnin* *ull `pro**ss` *roup **t*ils in*lu*in* un*ut*oriz** **il* *ompon*nts. T** prim*ry *ntry point woul* ** t** `Pro**ss*roupR*sour**.up**t*Pro**ss*roup` *ontroll*r m*t*o* t**t **n*l*s PUT r*qu*sts. T*i