CVE-2020-9482

MEDIUM

Apache NiFi Registry 0.1.0-0.5.0 - Insufficient Session Expiration

Title source: llm
STIX 2.1

Description

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://nifi.apache.org/registry-security.html#CVE-2020-9482

Scores

CVSS v3 6.5
EPSS 0.0092
EPSS Percentile 76.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-613
Status published
Products (2)
apache/nifi_registry 0.1.0 - 0.5.0
org.apache.nifi.registry/nifi-registry-web-api 0.1.0 - 0.7.0Maven
Published Apr 28, 2020
Tracked Since Feb 18, 2026