CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2022-33140 – Improper Neutralization of Command Elements in Shell User Group Provider
https://notcve.org/view.php?id=CVE-2022-33140
15 Jun 2022 — The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with el... • https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9482
https://notcve.org/view.php?id=CVE-2020-9482
28 Apr 2020 — If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. Si NiFi Registry versiones 0.1.0 hasta 0.5.0 usa un mecanismo de autenticación distinto de PKI, cuando el usuario hace clic en Log Out, NiFi Registry invalida el token de aut... • https://nifi.apache.org/registry-security.html#CVE-2020-9482 • CWE-613: Insufficient Session Expiration •