CVE-2020-9487
HIGHApache NiFi 1.0.0-1.11.4 - Unauthenticated Denial of Service via Download Token Flooding
Title source: llmDescription
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://nifi.apache.org/security#CVE-2020-9487
Scores
CVSS v3
7.5
EPSS
0.0063
EPSS Percentile
70.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-306
Status
published
Products (2)
apache/nifi
1.0.0 - 1.11.4
org.apache.nifi/nifi
1.0.0 - 1.12.0-RC1Maven
Published
Oct 01, 2020
Tracked Since
Feb 18, 2026