Insecure Encryption Affecting org.apache.nifi:nifi-bootstrap package, versions [1.2.0, 1.12.0)

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    2 Oct 2020

  • disclosed

    2 Oct 2020

  • credit


How to fix?

Upgrade org.apache.nifi:nifi-bootstrap to version 1.12.0 or higher.


org.apache.nifi:nifi-bootstrap is an easy to use, powerful, and reliable system to process and distribute data.

Affected versions of this package are vulnerable to Insecure Encryption. The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.