CVE-2020-9482: Insufficient Session Expiration

April 28, 2020 (updated May 5, 2020)

If the NiFi Registry uses an authentication mechanism other than PKI, the NiFi Registry would invalidate the authentication token on the client side but not on the server side during user logout. This permits the user’s client-side token to be used after logging out to make API requests to NiFi Registry potentially hours after the user clicked logout.

References

nifi.apache.org/registry-security.html
nvd.nist.gov/vuln/detail/CVE-2020-9482

Code Behaviors & Features

Detect and mitigate CVE-2020-9482 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →