Insecure Encryption Affecting org.apache.nifi:nifi-bootstrap package, versions [1.2.0, 1.12.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHENIFI-1015376
- published 2 Oct 2020
- disclosed 2 Oct 2020
- credit Unknown
Introduced: 2 Oct 2020
CVE-2020-9491 Open this link in a new tabHow to fix?
Upgrade org.apache.nifi:nifi-bootstrap
to version 1.12.0 or higher.
Overview
org.apache.nifi:nifi-bootstrap is an easy to use, powerful, and reliable system to process and distribute data.
Affected versions of this package are vulnerable to Insecure Encryption. The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.