Vulnerability Details CVE-2020-9491
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.028
EPSS Ranking 85.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E
- https://nifi.apache.org/security#CVE-2020-9491
- https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E
- https://nifi.apache.org/security#CVE-2020-9491
Products affected by CVE-2020-9491
-
cpe:2.3:a:apache:nifi:1.0.0
-
cpe:2.3:a:apache:nifi:1.0.1
-
cpe:2.3:a:apache:nifi:1.1.0
-
cpe:2.3:a:apache:nifi:1.1.1
-
cpe:2.3:a:apache:nifi:1.1.2
-
cpe:2.3:a:apache:nifi:1.10.0
-
cpe:2.3:a:apache:nifi:1.11.0
-
cpe:2.3:a:apache:nifi:1.11.1
-
cpe:2.3:a:apache:nifi:1.11.2
-
cpe:2.3:a:apache:nifi:1.11.3
-
cpe:2.3:a:apache:nifi:1.11.4
-
cpe:2.3:a:apache:nifi:1.2.0
-
cpe:2.3:a:apache:nifi:1.3.0
-
cpe:2.3:a:apache:nifi:1.4.0
-
cpe:2.3:a:apache:nifi:1.5.0
-
cpe:2.3:a:apache:nifi:1.6.0
-
cpe:2.3:a:apache:nifi:1.7.0
-
cpe:2.3:a:apache:nifi:1.7.1
-
cpe:2.3:a:apache:nifi:1.8.0
-
cpe:2.3:a:apache:nifi:1.9.0
-
cpe:2.3:a:apache:nifi:1.9.1
-
cpe:2.3:a:apache:nifi:1.9.2