CVE-2020-9487
Missing Authentication for Critical Function in Apache NiFi
7.5
HIGH
CVSS 3.1
EPSS 0.63%
Description
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
How to fix CVE-2020-9487
To remediate CVE-2020-9487, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 1.12.0-RC1 or later
Is CVE-2020-9487 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.0.0, <= 1.11.4
- >= 1.0.0, < 1.12.0-RC1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |