{
  "GSD": {
    "alias": "CVE-2022-26850",
    "description": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.",
    "id": "GSD-2022-26850"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26850"
      ],
      "details": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.",
      "id": "GSD-2022-26850",
      "modified": "2023-12-13T01:19:39.009427Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-26850",
        "STATE": "PUBLIC",
        "TITLE": "Insufficiently protected credentials"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache NiFi",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_name": "NiFi",
                          "version_value": "1.14.0 to 1.15.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "moderate"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Insufficiently protected credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://nifi.apache.org/security.html#CVE-2022-26850",
            "refsource": "MISC",
            "url": "https://nifi.apache.org/security.html#CVE-2022-26850"
          },
          {
            "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2"
          }
        ]
      },
      "source": {
        "defect": [
          "NIFI-9785"
        ],
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.15.3]",
          "affected_versions": "All versions up to 1.15.3",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-522",
            "CWE-937"
          ],
          "date": "2022-06-20",
          "description": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.",
          "fixed_versions": [
            "1.16"
          ],
          "identifier": "CVE-2022-26850",
          "identifiers": [
            "GHSA-rvp4-r3g6-8hxq",
            "CVE-2022-26850"
          ],
          "not_impacted": "All versions after 1.15.3",
          "package_slug": "maven/org.apache.nifi/nifi-single-user-utils",
          "pubdate": "2022-06-20",
          "solution": "Upgrade to version 1.16 or above.",
          "title": "Insufficiently Protected Credentials",
          "urls": [
            "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-26850",
            "https://nifi.apache.org/security.html#CVE-2022-26850",
            "http://www.openwall.com/lists/oss-security/2022/04/06/2",
            "https://github.com/advisories/GHSA-rvp4-r3g6-8hxq"
          ],
          "uuid": "aba42f11-096c-4bc5-a4b5-9461da2e5102"
        },
        {
          "affected_range": "[1.14.0,1.16.0)",
          "affected_versions": "All versions starting from 1.14.0 before 1.16.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-668",
            "CWE-937"
          ],
          "date": "2023-08-08",
          "description": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.",
          "fixed_versions": [
            "1.16.0"
          ],
          "identifier": "CVE-2022-26850",
          "identifiers": [
            "CVE-2022-26850"
          ],
          "not_impacted": "All versions before 1.14.0, all versions starting from 1.16.0",
          "package_slug": "maven/org.apache.nifi/nifi",
          "pubdate": "2022-04-06",
          "solution": "Upgrade to version 1.16.0 or above.",
          "title": "Insufficiently Protected Credentials",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-26850",
            "https://nifi.apache.org/security.html#CVE-2022-26850",
            "http://www.openwall.com/lists/oss-security/2022/04/06/2"
          ],
          "uuid": "d5b6df3f-f556-469e-98f1-72621c9d65bc"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.16.0",
                "versionStartIncluding": "1.14.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-26850"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nifi.apache.org/security.html#CVE-2022-26850",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://nifi.apache.org/security.html#CVE-2022-26850"
            },
            {
              "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-04-14T15:57Z",
      "publishedDate": "2022-04-06T18:15Z"
    }
  }
}

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.15.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-single-user-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:33:41Z",
    "nvd_published_at": "2022-04-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter` contains a local information disclosure vulnerability due to writing credentials (username and password) to a file that is readable by all other users on unix-like systems. On unix-like systems, the system\u0027s temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.\n\n### Source\n\nAn insecure temporary file is created here:\n - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L75\n\nThe username and password credentials are written to this file here:\n - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L85-L95\n\n### Patches\n\nThe vulnerability has been patched in version `1.16`.\n\n### Prerequisites\n\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\n### Workarounds\n\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.\n\n### References\n\n - https://issues.apache.org/jira/browse/NIFI-9785\n - https://github.com/apache/nifi/commit/859d5fe\n - https://github.com/apache/nifi/pull/5856\n - https://nifi.apache.org/security.html#CVE-2022-26850\n - https://twitter.com/JLLeitschuh/status/1511736635645435904?s=20\u0026t=I3w3zF6Y2DUvWYsEFqERjg",
  "id": "GHSA-rvp4-r3g6-8hxq",
  "modified": "2023-08-08T20:30:32Z",
  "published": "2022-06-20T22:33:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/859d5fe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/859d5fe8cfe05ad24600b021f0ebf15753a8105c"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2022-26850"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils"
}