Vulnerability Details : CVE-2020-9491
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
Products affected by CVE-2020-9491
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-9491
2.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-9491
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-9491
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-9491
-
https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf@%3Ccommits.nifi.apache.org%3E
svn commit: r1882253 - /nifi/site/trunk/security.html - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718@%3Ccommits.nifi.apache.org%3E
[nifi-site] branch main updated: Minor correction for CVE-2020-9491, Jira number from NIFI-7401 to NIFI-7407. - Pony MailMailing List;Patch;Vendor Advisory
-
https://nifi.apache.org/security#CVE-2020-9491
Apache NiFi Security ReportsVendor Advisory
Jump to