medium
6.5
CWE
522 668
Advisory Published
Advisory Published
Updated

CVE-2022-26850: Insufficiently protected credentials

First published: Wed Apr 06 2022(Updated: )

### Impact `org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter` contains a local information disclosure vulnerability due to writing credentials (username and password) to a file that is readable by all other users on unix-like systems. On unix-like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files. ### Source An insecure temporary file is created here: - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L75 The username and password credentials are written to this file here: - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L85-L95 ### Patches The vulnerability has been patched in version `1.16`. ### Prerequisites This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. ### Workarounds Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems. ### References - https://issues.apache.org/jira/browse/NIFI-9785 - https://github.com/apache/nifi/commit/859d5fe - https://github.com/apache/nifi/pull/5856 - https://nifi.apache.org/security.html#CVE-2022-26850 - https://twitter.com/JLLeitschuh/status/1511736635645435904?s=20&t=I3w3zF6Y2DUvWYsEFqERjg

Credit: security@apache.org security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
Apache NiFi>=1.14.0<1.16.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the impact of CVE-2022-26850?

    `CVE-2022-26850` allows an attacker to disclose the username and password credentials written to a file readable by all other users on Unix-like systems.

  • How can I fix CVE-2022-26850?

    To fix `CVE-2022-26850`, update to version 1.16 of `org.apache.nifi:nifi-single-user-utils` or a version higher than 1.15.3.

  • What is the severity of CVE-2022-26850?

    The severity of `CVE-2022-26850` is medium with a CVSS score of 6.5.

  • What is CWE-522?

    CWE-522 is a weakness that relates to insufficiently protected credentials, which is relevant to `CVE-2022-26850`.

  • What is CWE-668?

    CWE-668 is a weakness that relates to exposure of information through directory listing, which is relevant to `CVE-2022-26850`.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203