CVE-2020-9487

Summary

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Affected Software

VendorProductVersion RangeStatus
n/aApache NiFiApache NiFi 1.0.0 to 1.11.4affected

Weaknesses

  • Denial of Service

ADP Enrichment

CVE Program Container

Additional References

References