nifi-api-unauthorized-access: Apache Nifi Api Unauthorized Access

日期: 2025-09-01 | 影响软件: Apache Nifi | POC: 已公开

漏洞描述

Apache NiFi Api未授权访问导致命令执行

PoC代码[已公开]

id: nifi-api-unauthorized-access

info:
    name: Apache Nifi Api Unauthorized Access
    author: wulalalaaa(https://github.com/wulalalaaa)
    severity: high
    verified: false
    description: Apache NiFi Api未授权访问导致命令执行
    reference:
        - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html

rules:
    r0:
        request:
            method: GET
            path: /nifi-api/flow/current-user
        expression: response.status == 200 && response.headers["content-type"].contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/unauthorized/nifi-api-unauthorized-access.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

nifi-unauth: Apache NiFi - Unauthenticated Access POC

CVE-2024-56512: Apache NiFi - Information Disclosure POC

Apache Nifi 信息泄露漏洞（CVE-2024-56512) 无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞 无POC

D-Link DIR-645 命令注入漏洞 无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞无POC

D-Link DIR-645 命令注入漏洞无POC