CVE-2023-41180

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS. Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y	Issue Tracking Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi_minifi_c\+\+:*:*:*:*:*:*:*:*

History

08 Sep 2023, 17:15

Type	Values Removed	Values Added
References	~~(MISC) https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y -~~	(MISC) https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y - Issue Tracking, Mailing List, Vendor Advisory
First Time		Apache Apache nifi Minifi C\+\+
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
CPE		cpe:2.3:a:apache:nifi_minifi_c\+\+::::::::

03 Sep 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-03 16:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-41180

Mitre link : CVE-2023-41180

CVE.ORG link : CVE-2023-41180

JSON object : View

Products Affected

apache

nifi_minifi_c\+\+

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2023-41180", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2023-09-03T16:15:10.823", "references": [{"url": "https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS.\n\nMitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.\n\n"}, {"lang": "es", "value": "validaci\u00f3n incorrecta de certificados en nvokeHTTP sobre Apache NiFi MiNiFi C++ versions 0.13 to 0.14 permite a un intermediario presentar un certificado falsificado durante la negociaci\u00f3n del apret\u00f3n de manos TLS. La propiedad Disable Peer Verification de InvokeHTTP se invirti\u00f3 de forma efectiva, deshabilitando la verificaci\u00f3n por defecto, cuando se utiliza HTTPS. Mitigaci\u00f3n: Establezca la propiedad Disable Peer Verification de InvokeHTTP en true cuando utilice las versiones 0.13.0 o 0.14.0 de MiNiFi C++. La actualizaci\u00f3n a MiNiFi C++ 0.15.0 corrige el comportamiento predeterminado."}], "lastModified": "2023-09-08T17:15:34.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi_minifi_c\\+\\+:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A24FBBF4-DE99-486C-881D-98ED60F40E10", "versionEndIncluding": "0.14.0", "versionStartIncluding": "0.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}