nifi-api-unauthorized-access: Apache Nifi Api Unauthorized Access

日期: 2025-08-01 | 影响软件: Apache Nifi | POC: 已公开

漏洞描述

Apache NiFi Api未授权访问导致命令执行

PoC代码[已公开]

id: nifi-api-unauthorized-access

info:
  name: Apache Nifi Api Unauthorized Access
  author: wulalalaaa
  severity: high
  verified: false
  description: |-
    Apache NiFi Api未授权访问导致命令执行
  reference:
    - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
  tags: apache,nifi,unauth
  created: 2023/07/07

rules:
  r0:
    request:
      method: GET
      path: /nifi-api/flow/current-user
    expression: response.status == 200 && response.headers["content-type"].contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/unauthorized/nifi-api-unauthorized-access.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐