CVE-2020-9487

HIGH7.5EPSS 0.63%

Missing Authentication for Critical Function in Apache NiFi

Published: 1/6/2022Modified: 9/15/2025

Also known as:GHSA-3pp3-77j6-8ph6BIT-nifi-2020-9487

Description

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Affected packages (2)

Bitnami/nifi>= 1.0.0, <= 1.11.4
Maven/org.apache.nifi:nifi>= 1.0.0, < 1.12.0-RC1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-9487
WEBhttps://github.com/apache/nifi/commit/01e42dfb3291c3a3549023edadafd2d8023f3042
WEBhttps://nifi.apache.org/security#CVE-2020-9487