cve-2022-26850
Vulnerability from cvelistv5
Published
2022-04-06 17:40
Modified
2024-08-03 05:11
Severity ?
EPSS score ?
Summary
Insufficiently protected credentials
References
▼ | URL | Tags | |
---|---|---|---|
security@apache.org | http://www.openwall.com/lists/oss-security/2022/04/06/2 | Mailing List, Third Party Advisory | |
security@apache.org | https://nifi.apache.org/security.html#CVE-2022-26850 | Vendor Advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache NiFi |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:45.347Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "NiFi 1.14.0 to 1.15.3" } ] } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)" } ], "descriptions": [ { "lang": "en", "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory." } ], "metrics": [ { "other": { "content": { "other": "moderate" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Insufficiently protected credentials", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-06T20:06:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ], "source": { "defect": [ "NIFI-9785" ], "discovery": "UNKNOWN" }, "title": "Insufficiently protected credentials", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-26850", "STATE": "PUBLIC", "TITLE": "Insufficiently protected credentials" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache NiFi", "version": { "version_data": [ { "version_affected": "=", "version_name": "NiFi", "version_value": "1.14.0 to 1.15.3" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh)" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "moderate" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insufficiently protected credentials" } ] } ] }, "references": { "reference_data": [ { "name": "https://nifi.apache.org/security.html#CVE-2022-26850", "refsource": "MISC", "url": "https://nifi.apache.org/security.html#CVE-2022-26850" }, { "name": "[oss-security] 20220406 CVE-2022-26850: Apache NiFi: Insufficiently protected credentials", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/04/06/2" } ] }, "source": { "defect": [ "NIFI-9785" ], "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-26850", "datePublished": "2022-04-06T17:40:09", "dateReserved": "2022-03-10T00:00:00", "dateUpdated": "2024-08-03T05:11:45.347Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-26850\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-04-06T18:15:09.047\",\"lastModified\":\"2023-08-08T14:22:24.967\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.\"},{\"lang\":\"es\",\"value\":\"Cuando son creadas o actualizadas las credenciales para el acceso de un solo usuario, Apache NiFi escribe una copia de la configuraci\u00f3n de los proveedores de identidad de inicio de sesi\u00f3n en el directorio temporal del sistema operativo. En la mayor\u00eda de las plataformas, el directorio temporal del sistema operativo presenta permisos de lectura globales. NiFi movi\u00f3 inmediatamente el archivo temporal al directorio de configuraci\u00f3n final, lo que limit\u00f3 significativamente la ventana de oportunidad de acceso. NiFi versi\u00f3n 1.16.0 incluye actualizaciones para sustituir la configuraci\u00f3n de los proveedores de identidad de inicio de sesi\u00f3n sin escribir un archivo en el directorio temporal del sistema operativo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.14.0\",\"versionEndExcluding\":\"1.16.0\",\"matchCriteriaId\":\"9463A679-D716-4CD8-8EFA-E4C8E76B3E91\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/04/06/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://nifi.apache.org/security.html#CVE-2022-26850\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.