CVE-2019-10083
MEDIUMApache NiFi 1.3.0-1.9.2 - Unauthorized Sensitive Information Exposure via Process Group API
Title source: llmDescription
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://nifi.apache.org/security.html#CVE-2019-10083
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
Scores
CVSS v3
5.3
EPSS
0.0119
EPSS Percentile
79.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (3)
apache/nifi
1.3.0 - 1.9.2
org.apache.nifi/nifi
1.3.0 - 1.10.0Maven
org.apache.nifi/nifi-web-api
1.3.0 - 1.10.0Maven
Published
Nov 19, 2019
Tracked Since
Feb 18, 2026