====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN226
_____________________________________________________________________

DATE                : 28/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NiFi versions prior to
                                           0.6.0.

=====================================================================
https://nifi.apache.org/registry-security.html#CVE-2020-9482
_____________________________________________________________________

CVE-2020-9482: Apache NiFi Registry user log out issue

Severity: Moderate

Versions Affected:

    Apache NiFi Registry 0.1.0 - 0.5.0

Description: If NiFi Registry uses an authentication mechanism other
than PKI, when the user clicks Log Out, NiFi Registry invalidates the
authentication token on the client side but not on the server side. This
permits the user's client-side token to be used for up to 12 hours after
logging out to make API requests to NiFi Registry.

Mitigation: The fix to invalidate the server-side authentication token
immediately after the user clicks 'Log Out' was applied in the Apache
NiFi Registry 0.6.0 release.

CVE Link: Mitre Database: CVE-2020-9482

NiFi Registry Jira: NIFIREG-387

NiFi Registry PR: PR 277

Released: April 7, 2020


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================