CVE-2020-9482: Insufficient Session Expiration

February 9, 2022

If NiFi Registry to uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user’s client-side token to be used for up to hours after logging out to make API requests to NiFi Registry.

References

github.com/advisories/GHSA-rcwj-2hj2-vmjj
github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c
github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd
nifi.apache.org/registry-security.html
nvd.nist.gov/vuln/detail/CVE-2020-9482

Code Behaviors & Features

Detect and mitigate CVE-2020-9482 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →