[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-33140: Apache NiFi, Apache NiFi Registry: Improper Neutralization of Command
From: David Handermann <exceptionfactory () apache ! org>
Date: 2022-06-15 12:24:22
Message-ID: 3435330c-e8dd-f9b7-6ff1-4a9bb76bb12b () apache ! org
[Download RAW message or body]
Severity: high
Description:
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and =
Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for =
group resolution commands, allowing injection of operating system commands =
on Linux and macOS platforms.
The ShellUserGroupProvider is not included in the default configuration. =
Command injection requires ShellUserGroupProvider to be one of the enabled =
User Group Providers in the Authorizers configuration. Command injection =
also requires an authenticated user with elevated privileges. Apache NiFi =
requires an authenticated user with authorization to modify access policies=
in order to execute the command. Apache NiFi Registry requires an =
authenticated user with authorization to read user groups in order to =
execute the command.
The resolution removes command formatting based on user-provided arguments.=
This issue is being tracked as NIFI-10114
Mitigation:
Disabling the ShellUserGroupProvider mitigates the vulnerability.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic