Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Nov 2019 13:41:39 -0500
From: Nathan Gough <>
Subject: [CVE-2019-10083] Apache NiFi process group information disclosure


[PRODUCT]:Apache NiFi

[VERSION]:Apache NiFi 1.3.0 to 1.9.2

[PROBLEMTYPE]:Information Disclosure


[DESCRIPTION]:As reported by Mark Payne, when updating a Process Group via
the API in NiFi versions 1.3.0 to 1.9.2, the response to the request
includes all of its contents (at the top most level, not recursively). The
response included details about processors and controller services which
the user may not have had read access to.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.