oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-41180: Apache NiFi MiNiFi C++: Incorrect Certificate Validation in InvokeHTTP for MiNiFi C++

From: Marton Szasz <szaszm () apache org>
Date: Sat, 02 Sep 2023 20:41:50 +0000
Severity: important

Affected versions:

- Apache NiFi MiNiFi C++ 0.13.0 through 0.14.0

Description:

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary 
to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP 
was effectively flipped,  disabling verification by default, when using HTTPS.

Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 
0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

This issue is being tracked as MINIFICPP-2170 

Credit:

Ferenc Gerlits (finder)

References:

https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-41180
https://issues.apache.org/jira/browse/MINIFICPP-2170
Previous By Date Next
Previous By Thread Next

Current thread: