Vulnerability Details : CVE-2022-33140
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.
Products affected by CVE-2022-33140
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi_registry:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-33140
2.61%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-33140
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-33140
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2022-33140
-
https://nifi.apache.org/security.html#CVE-2022-33140
Apache NiFi Security ReportsIssue Tracking;Vendor Advisory
-
https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr
CVE-2022-33140: Apache NiFi, Apache NiFi Registry: Improper Neutralization of Command Elements in Shell User Group Provider-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to