CVE-2019-10083: Apache NiFi process group information disclosure
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.49927%
CWE
Published
12/2/2019
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.nifi:nifi-web-api | maven | >= 1.3.0, < 1.10.0 | 1.10.0 |
org.apache.nifi:nifi | maven | >= 1.3.0, < 1.10.0 | 1.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from API endpoints returning full process
group details including unauthorized child components. The primary entry point would be the ProcessGroupResource.updateProcessGroup
controller method that handles PUT requests. This method likely called service layer methods like ProcessGroupService.getProcessGroup
that retrieved complete entity data. The pre-patch implementation didn't perform sufficient authorization checks on contained components when serializing the response. Runtime detection would observe these functions in call stacks when processing process
group update requests that expose sensitive components.