Release Notes
Also available as:
PDF

Common Vulnerabilities and Exposures

Lists common vulnerabilities and exposures fixed in HDF 3.5.2.

The following CVEs have been fixed in HDF 3.5.2:

CVE-2020-9486

Component: Apache NiFi

Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

Severity: Important

Versions Affected: Apache NiFi 1.10.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9486

CVE-2020-9487

Component: Apache NiFi

Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Severity: Important

Versions Affected: Apache NiFi 1.0.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9487

CVE-2020-9491

Component: Apache NiFi

Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Severity: Critical

Versions Affected: Apache NiFi 1.2.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9491

CVE-2020-13940

Component: Apache NiFi

Description: The notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

Severity: Low

Versions Affected: Apache NiFi 1.0.0 - 1.11.4

Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-13940