0.14.0

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

apache

NVD

Published: 2023-09-03

Updated: 2024-11-21

Summary

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS. Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Nifi Minifi C++ 0.13.0 Apache Nifi Minifi C++ 0.14.0	5

References

https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y
https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y