Apache NiFi Download Token Denial of Service Vulnerability

Apache NiFi Download Token Denial of Service Vulnerability

CVE-2020-9487 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Learn more about our Cis Benchmark Audit For Apache Http Server.