When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/04/06/2 | Mailing List Third Party Advisory |
https://nifi.apache.org/security.html#CVE-2022-26850 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2022-04-06T17:40:09
Updated: 2022-04-06T20:06:16
Reserved: 2022-03-10T00:00:00
Link: CVE-2022-26850
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-04-06T18:15:09.047
Modified: 2023-08-08T14:22:24.967
Link: CVE-2022-26850
JSON object: View
Redhat Information
No data.
CWE