Описание
Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS.
Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.
Ссылки
- Issue TrackingMailing ListVendor Advisory
- Issue TrackingMailing ListVendor Advisory
Уязвимые конфигурации
EPSS
5.9 Medium
CVSS3
Дефекты
Связанные уязвимости
Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS. Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.
Уязвимость компонента InvokeHTTP платформы обработки данных Apache NiFi MiNiFi, существующая из-за недостаточной проверки подлинности сертификата, позволяющая нарушителю оказать воздействие на целостность данных
EPSS
5.9 Medium
CVSS3