CVE-2019-10083 : Security Advisory and Response

Apache NiFi versions 1.3.0 to 1.9.2 are affected by an Information Disclosure vulnerability when making API updates to a Process Group. The response to the request may expose restricted information to unauthorized users.

Understanding CVE-2019-10083

This CVE entry pertains to an information disclosure issue in Apache NiFi versions 1.3.0 to 1.9.2.

What is CVE-2019-10083?

In versions 1.3.0 to 1.9.2 of Apache NiFi, updating a Process Group via the API can lead to an information disclosure vulnerability. The response to the request provides a comprehensive overview of the group's contents, potentially revealing restricted details to unauthorized users.

The Impact of CVE-2019-10083

The vulnerability allows unauthorized users to access sensitive information about processors and controller services within a Process Group, even if they do not have proper read access.

Technical Details of CVE-2019-10083

Apache NiFi CVE-2019-10083 involves the following technical aspects:

Vulnerability Description

When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response includes all contents at the topmost level, potentially exposing restricted details to unauthorized users.

Affected Systems and Versions

Product: Apache NiFi
Versions Affected: Apache NiFi 1.3.0 to 1.9.2

Exploitation Mechanism

The vulnerability occurs when making API updates to a Process Group, where the response provides a complete overview of the group's contents, including restricted information.

Mitigation and Prevention

To address CVE-2019-10083, consider the following mitigation strategies:

Immediate Steps to Take

Upgrade Apache NiFi to a non-vulnerable version.
Restrict API access to authorized users only.

Long-Term Security Practices

Regularly review and update access controls.
Monitor API requests for unusual activity.

Patching and Updates

Apply security patches provided by Apache NiFi to fix the information disclosure vulnerability.