5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10083

GHSA ID

GHSA-26p8-xrj2-mv53

EPSS Score

0.49927%

CWE

CWE-200

Published

12/2/2019

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10083

CVE-2019-10083: Apache NiFi process group information disclosure

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10083

GHSA ID

GHSA-26p8-xrj2-mv53

EPSS Score

0.49927%

CWE

CWE-200

Published

12/2/2019

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.nifi:nifi-web-api	maven	>= 1.3.0, < 1.10.0	1.10.0
org.apache.nifi:nifi	maven	>= 1.3.0, < 1.10.0	1.10.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from API endpoints returning full process group details including unauthorized child components. The primary entry point would be the ProcessGroupResource.updateProcessGroup controller method that handles PUT requests. This method likely called service layer methods like ProcessGroupService.getProcessGroup that retrieved complete entity data. The pre-patch implementation didn't perform sufficient authorization checks on contained components when serializing the response. Runtime detection would observe these functions in call stacks when processing process group update requests that expose sensitive components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n up**tin* * Pro**ss *roup vi* t** *PI in Ni*i v*rsions *.*.* to *.*.*, t** r*spons* to t** r*qu*st in*lu**s *ll o* its *ont*nts (*t t** top most l*v*l, not r**ursiv*ly). T** r*spons* in*lu*** **t*ils **out pro**ssors *n* *ontroll*r s*rvi**s w*i**

Reasoning

T** vuln*r**ility st*ms *rom *PI *n*points r*turnin* *ull `pro**ss` *roup **t*ils in*lu*in* un*ut*oriz** **il* *ompon*nts. T** prim*ry *ntry point woul* ** t** `Pro**ss*roupR*sour**.up**t*Pro**ss*roup` *ontroll*r m*t*o* t**t **n*l*s PUT r*qu*sts. T*i

5.3

Basic Information

Concerned about an active attack path?

CVE-2019-10083: Apache NiFi process group information disclosure

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI