In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
Link | Providers |
---|---|
https://nifi.apache.org/security#CVE-2020-9487 |
![]() ![]() |
History
No history.

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T10:26:16.254Z
Reserved: 2020-03-01T00:00:00
Link: CVE-2020-9487

No data.

Status : Modified
Published: 2020-10-01T20:15:14.253
Modified: 2024-11-21T05:40:44.937
Link: CVE-2020-9487

No data.

No data.