CVE-2020-9487
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
En Apache NiFi versiones 1.0.0 hasta 1.11.4, el mecanismo del token de descarga de NiFi (contraseña de un solo uso) usaba un tamaño de caché fijo y no autenticaba una petición para crear un token de descarga, solo cuando se intentaba usar el token para acceder al contenido. Un usuario no autenticado podría solicitar tokens de descarga de forma repetida, impidiendo que los usuarios legítimos soliciten tokens de descarga
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-03-01 CVE Reserved
- 2020-10-01 CVE Published
- 2023-08-24 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://nifi.apache.org/security#CVE-2020-9487 | 2020-10-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | >= 1.0.0 <= 1.11.4 Search vendor "Apache" for product "Nifi" and version " >= 1.0.0 <= 1.11.4" | - |
Affected
| ||||||