[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2019-10083] Apache NiFi process group information disclosure
From:       Nathan Gough <thenatog () apache ! org>
Date:       2019-11-19 18:41:39
Message-ID: CAEhjM2CozkQMViJxNmK94gw5T9bs6f2NM4vDknCJ7hEGSCjwWA () mail ! gmail ! com
[Download RAW message or body]


[CVEID]:CVE-2019-10083

[PRODUCT]:Apache NiFi

[VERSION]:Apache NiFi 1.3.0 to 1.9.2

[PROBLEMTYPE]:Information Disclosure

[REFERENCES]:https://nifi.apache.org/security.html#CVE-2019-10083

[DESCRIPTION]:As reported by Mark Payne, when updating a Process Group via
the API in NiFi versions 1.3.0 to 1.9.2, the response to the request
includes all of its contents (at the top most level, not recursively). The
response included details about processors and controller services which
the user may not have had read access to.


[prev in list] [next in list] [prev in thread] [next in thread]