CVE-2024-56512

Published: Dic 28, 2024 Last Modified: Feb 11, 2025
ExploitDB:
Other exploit source:
Google Dorks:
LOW 2,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 5,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups.

Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.

Creating a new Process Group can also include referencing existing Controller Services or Parameter Providers. The framework did not check user authorization for referenced Controller Services or Parameter Providers, enabling clients to create Process Groups and use these components that were otherwise unauthorized.

This vulnerability is limited in scope to authenticated users authorized to create Process Groups. The scope is further limited to deployments with component-based authorization policies. Upgrading to Apache NiFi 2.1.0 is the recommended mitigation, which includes authorization checking for Parameter and Controller Service references on Process Group creation.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,2392
Percentile
1,0th
Updated

EPSS Score Trend (Last 90 Days)

638

Not Using Complete Mediation

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability Access Control Other
Potential Impacts:
Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Bypass Protection Mechanism Read Application Data Other
Applicable Platforms
All platforms may be affected
View CWE Details
862

Missing Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: AI/ML, Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
Application

Nifi by Apache

Product Information
Vendor Apache
Product Nifi
Version Range Affected
From 1.10.0 (inclusive)
To 2.1.0 (exclusive)
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://www.openwall.com/lists/oss-security/2024/12/28/1
Mailing List
http://www.openwall.com/lists/oss-security/2024/12/28/1
https://lists.apache.org/thread/cjc8fns5kjsho0s7vonlnojokyf…
Mailing List
https://lists.apache.org/thread/cjc8fns5kjsho0s7vonlnojokyfx47wn