[
https://issues.apache.org/jira/browse/NIFI-9855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike R updated NIFI-9855:
-------------------------
Component/s: Security
Summary: NiFi Can Delete Its Own Configuration Files (was: NiFi Can
Delete Its Own Processors)
> NiFi Can Delete Its Own Configuration Files
> -------------------------------------------
>
> Key: NIFI-9855
> URL: https://issues.apache.org/jira/browse/NIFI-9855
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.16.0, 1.15.2, 1.15.3
> Environment: All Linux Distros
> Reporter: Mike R
> Priority: Major
>
> Using the GetFile and PutFile processors, an attacker could overwrite the
> configuration files to the /dev/null. Using a regex of (.*?), an attacker
> could point the GetFile Processor to the directory which the NiFi
> configuration files are located in. If the attacker is able to login, they
> can send the files to /dev/null on Linux, which although it will cause a
> warning in the PutFile processor, it will still process.
> This does not require that the attacker have access to the underlying system,
> but rather just NiFi itself.
> The ways to prevent this from happening would be to prevent the GetFile
> Processor and other NiFi processors from being able to directly read files
> from the configuration directories in a way that deletes the existing files
> and another option would be to have processors prevented from overwriting
> configuration directory files.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
