[MAVEN:GHSA-FMQW-VQH5-CWQ9] Apache NiFi user log out issue
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
| Package | Affected Version |
|---|---|
 pkg:maven/org.apache.nifi/nifi-web-security
|
>= 1.3.0, < 1.10.0 |
|
pkg:maven/org.apache.nifi/nifi-web-api
|
>= 1.3.0, < 1.10.0 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.apache.nifi/nifi-web-security
|
= 1.10.0 |
|
pkg:maven/org.apache.nifi/nifi-web-api
|
= 1.10.0 |
- ID
- MAVEN:GHSA-FMQW-VQH5-CWQ9
- Severity
- high
- URL
- https://github.com/advisories/GHSA-fmqw-vqh5-cwq9
- Published
-
2019-12-02T18:19:39
(4 years ago) - Modified
-
2023-09-27T11:46:34
(11 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.apache.nifi/nifi-web-security | org.apache.nifi |
nifi-web-security
|
>= 1.3.0 < 1.10.0 | |||
| Fixed | pkg:maven/org.apache.nifi/nifi-web-security | org.apache.nifi |
nifi-web-security
|
= 1.10.0 | |||
| Affected | pkg:maven/org.apache.nifi/nifi-web-api | org.apache.nifi |
nifi-web-api
|
>= 1.3.0 < 1.10.0 | |||
| Fixed | pkg:maven/org.apache.nifi/nifi-web-api | org.apache.nifi |
nifi-web-api
|
= 1.10.0 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |