CVE-2019-12421
Apache NiFi user log out issue
8.8
HIGH
CVSS 3.1
EPSS 0.56%
Description
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
How to fix CVE-2019-12421
To remediate CVE-2019-12421, upgrade the affected package to a fixed version below.
- —upgrade to 1.10.0 or later
- —upgrade to 1.10.0 or later
Is CVE-2019-12421 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.3.0, < 1.10.0
- >= 1.3.0, < 1.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |