[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-33140: Apache NiFi, Apache NiFi Registry: Improper Neutralization of Command
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2022-06-15 12:24:22
Message-ID: 3435330c-e8dd-f9b7-6ff1-4a9bb76bb12b () apache ! org
[Download RAW message or body]

Severity: high

Description:

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and =
Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for =
group resolution commands, allowing injection of operating system commands =
on Linux and macOS platforms.

The ShellUserGroupProvider is not included in the default configuration. =
Command injection requires ShellUserGroupProvider to be one of the enabled =
User Group Providers in the Authorizers configuration. Command injection =
also requires an authenticated user with elevated privileges.  Apache NiFi =
requires an authenticated user with authorization to modify access policies=
 in order to execute the command. Apache NiFi Registry requires an =
authenticated user with authorization to read user groups in order to =
execute the command.

The resolution removes command formatting based on user-provided arguments.=


This issue is being tracked as NIFI-10114

Mitigation:

Disabling the ShellUserGroupProvider mitigates the vulnerability.

[prev in list] [next in list] [prev in thread] [next in thread]