CVE-2019-12421
HIGHApache NiFi 1.0.0-1.9.2 - Insufficient Session Expiration via Logout
Title source: llmDescription
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://nifi.apache.org/security.html#CVE-2019-12421
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
Scores
CVSS v3
8.8
EPSS
0.0056
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
Status
published
Products (3)
apache/nifi
1.0.0 - 1.9.2
org.apache.nifi/nifi-web-api
1.3.0 - 1.10.0Maven
org.apache.nifi/nifi-web-security
1.3.0 - 1.10.0Maven
Published
Nov 19, 2019
Tracked Since
Feb 18, 2026