CVE-2020-9487

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Published: Oct 1, 2020
Updated: May 9, 2024
CVE: CVE-2020-9487
GHSA: GHSA-3pp3-77j6-8ph6
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
apache / nifi	1.0.0	1.11.4.x
org.apache.nifi / nifi	1.0.0	1.12.0-RC1

https://github.com/apache/nifi/commit/01e42dfb3291c3a3549023edadafd2d8023f3042
https://nifi.apache.org/security#CVE-2020-9487

Vulnerability Database

289,599

CVE-2020-9487