Vulnerabilities > CVE-2022-26850 - Exposure of Resource to Wrong Sphere vulnerability in Apache Nifi 1.14.0/1.15.0/1.15.3

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apache
CWE-668

Summary

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Vulnerable Configurations

Part Description Count
Application
Apache
3

Common Weakness Enumeration (CWE)