CVE-2022-26850

Опубликовано: 06 апр. 2022

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Ссылки

http://www.openwall.com/lists/oss-security/2022/04/06/2
Mailing List
Third Party Advisory
https://nifi.apache.org/security.html#CVE-2022-26850
Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/04/06/2
Mailing List
Third Party Advisory
https://nifi.apache.org/security.html#CVE-2022-26850
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

Версия от 1.14.0 (включая) до 1.16.0 (исключая)

EPSS

Процентиль: 77%

0.01021

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-668

Связанные уязвимости

GHSA-rvp4-r3g6-8hxq

CVSS3: 6.5

github

больше 3 лет назад

Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils