[ https://issues.apache.org/jira/browse/NIFI-9855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike R updated NIFI-9855: ------------------------- Component/s: Security Summary: NiFi Can Delete Its Own Configuration Files (was: NiFi Can Delete Its Own Processors) > NiFi Can Delete Its Own Configuration Files > ------------------------------------------- > > Key: NIFI-9855 > URL: https://issues.apache.org/jira/browse/NIFI-9855 > Project: Apache NiFi > Issue Type: Bug > Components: Security > Affects Versions: 1.16.0, 1.15.2, 1.15.3 > Environment: All Linux Distros > Reporter: Mike R > Priority: Major > > Using the GetFile and PutFile processors, an attacker could overwrite the > configuration files to the /dev/null. Using a regex of (.*?), an attacker > could point the GetFile Processor to the directory which the NiFi > configuration files are located in. If the attacker is able to login, they > can send the files to /dev/null on Linux, which although it will cause a > warning in the PutFile processor, it will still process. > This does not require that the attacker have access to the underlying system, > but rather just NiFi itself. > The ways to prevent this from happening would be to prevent the GetFile > Processor and other NiFi processors from being able to directly read files > from the configuration directories in a way that deletes the existing files > and another option would be to have processors prevented from overwriting > configuration directory files. -- This message was sent by Atlassian Jira (v8.20.1#820001)