CVE-2022-33140 (GCVE-0-2022-33140)

Vulnerability from cvelistv5 – Published: 2022-06-15 14:25 – Updated: 2024-08-03 08:01
VLAI?
Summary
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.
Severity ?
No CVSS data available.
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache NiFi Affected: up to 1.16.2 , ≤ 1.16.2 (custom)
Affected: 1.10.0 , < 1.10.0* (custom)
Create a notification for this product.
    Apache Software Foundation Apache NiFi Registry Affected: up to 1.16.2 , ≤ 1.16.2 (custom)
Affected: 0.6.0 , < 0.6.0* (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T08:01:19.873Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nifi.apache.org/security.html#CVE-2022-33140"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache NiFi",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.16.2",
              "status": "affected",
              "version": "up to 1.16.2",
              "versionType": "custom"
            },
            {
              "lessThan": "1.10.0*",
              "status": "affected",
              "version": "1.10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Apache NiFi Registry",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.16.2",
              "status": "affected",
              "version": "up to 1.16.2",
              "versionType": "custom"
            },
            {
              "lessThan": "0.6.0*",
              "status": "affected",
              "version": "0.6.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-15T14:25:15",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nifi.apache.org/security.html#CVE-2022-33140"
        }
      ],
      "source": {
        "defect": [
          "NIFI-10114"
        ],
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-06-11T00:00:00",
          "value": "reported"
        }
      ],
      "title": "Improper Neutralization of Command Elements in Shell User Group Provider",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disabling the ShellUserGroupProvider mitigates the vulnerability."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-33140",
          "STATE": "PUBLIC",
          "TITLE": "Improper Neutralization of Command Elements in Shell User Group Provider"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache NiFi",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "up to 1.16.2",
                            "version_value": "1.16.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "1.10.0",
                            "version_value": "1.10.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Apache NiFi Registry",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "up to 1.16.2",
                            "version_value": "1.16.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "0.6.0",
                            "version_value": "0.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr"
            },
            {
              "name": "https://nifi.apache.org/security.html#CVE-2022-33140",
              "refsource": "MISC",
              "url": "https://nifi.apache.org/security.html#CVE-2022-33140"
            }
          ]
        },
        "source": {
          "defect": [
            "NIFI-10114"
          ],
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2022-06-11T00:00:00",
            "value": "reported"
          }
        ],
        "work_around": [
          {
            "lang": "en",
            "value": "Disabling the ShellUserGroupProvider mitigates the vulnerability."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-33140",
    "datePublished": "2022-06-15T14:25:15",
    "dateReserved": "2022-06-13T00:00:00",
    "dateUpdated": "2024-08-03T08:01:19.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.10.0\", \"versionEndIncluding\": \"1.16.2\", \"matchCriteriaId\": \"DF32EE88-DDE8-42A0-B231-59A08501A123\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:nifi_registry:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.6.0\", \"versionEndIncluding\": \"1.16.2\", \"matchCriteriaId\": \"72FE2DCA-C5F8-49F7-8C1E-B3F033CA3056\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"387021A0-AF36-463C-A605-32EA7DAC172E\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.\"}, {\"lang\": \"es\", \"value\": \"El ShellUserGroupProvider opcional en Apache NiFi versiones 1.10.0 a 1.16.2 y Apache NiFi Registry 0.6.0 a 1.16.2 no neutraliza los argumentos para los comandos de resoluci\\u00f3n de grupos, permitiendo una inyecci\\u00f3n de comandos del sistema operativo en las plataformas Linux y macOS. El ShellUserGroupProvider no est\\u00e1 incluido en la configuraci\\u00f3n por defecto. La inyecci\\u00f3n de comandos requiere que ShellUserGroupProvider sea uno de los proveedores de grupos de usuarios habilitados en la configuraci\\u00f3n de Authorizers. La inyecci\\u00f3n de comandos tambi\\u00e9n requiere un usuario Autenticado con altos privilegios. Apache NiFi requiere un usuario autenticado con autorizaci\\u00f3n para modificar las pol\\u00edticas de acceso para poder ejecutar el comando. El Registro de Apache NiFi requiere un usuario autenticado con autorizaci\\u00f3n para leer los grupos de usuarios para poder ejecutar el comando. La resoluci\\u00f3n elimina el formato del comando basado en los argumentos proporcionados por el usuario\"}]",
      "id": "CVE-2022-33140",
      "lastModified": "2024-11-21T07:07:35.453",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-06-15T15:15:08.050",
      "references": "[{\"url\": \"https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://nifi.apache.org/security.html#CVE-2022-33140\", \"source\": \"security@apache.org\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://nifi.apache.org/security.html#CVE-2022-33140\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-33140\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-06-15T15:15:08.050\",\"lastModified\":\"2024-11-21T07:07:35.453\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.\"},{\"lang\":\"es\",\"value\":\"El ShellUserGroupProvider opcional en Apache NiFi versiones 1.10.0 a 1.16.2 y Apache NiFi Registry 0.6.0 a 1.16.2 no neutraliza los argumentos para los comandos de resoluci\u00f3n de grupos, permitiendo una inyecci\u00f3n de comandos del sistema operativo en las plataformas Linux y macOS. El ShellUserGroupProvider no est\u00e1 incluido en la configuraci\u00f3n por defecto. La inyecci\u00f3n de comandos requiere que ShellUserGroupProvider sea uno de los proveedores de grupos de usuarios habilitados en la configuraci\u00f3n de Authorizers. La inyecci\u00f3n de comandos tambi\u00e9n requiere un usuario Autenticado con altos privilegios. Apache NiFi requiere un usuario autenticado con autorizaci\u00f3n para modificar las pol\u00edticas de acceso para poder ejecutar el comando. El Registro de Apache NiFi requiere un usuario autenticado con autorizaci\u00f3n para leer los grupos de usuarios para poder ejecutar el comando. La resoluci\u00f3n elimina el formato del comando basado en los argumentos proporcionados por el usuario\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.0\",\"versionEndIncluding\":\"1.16.2\",\"matchCriteriaId\":\"DF32EE88-DDE8-42A0-B231-59A08501A123\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:nifi_registry:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.6.0\",\"versionEndIncluding\":\"1.16.2\",\"matchCriteriaId\":\"72FE2DCA-C5F8-49F7-8C1E-B3F033CA3056\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"387021A0-AF36-463C-A605-32EA7DAC172E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://nifi.apache.org/security.html#CVE-2022-33140\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://nifi.apache.org/security.html#CVE-2022-33140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.