CVE-2020-9487

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
References
Link Resource
https://nifi.apache.org/security#CVE-2020-9487 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-10-01 20:15

Updated : 2024-02-28 18:08


NVD link : CVE-2020-9487

Mitre link : CVE-2020-9487

CVE.ORG link : CVE-2020-9487


JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-306

Missing Authentication for Critical Function