Google Git
Sign in
apache / nifi-site / d18679e276742e687946bc89010bf25bcd2b225b^! / .
commitd18679e276742e687946bc89010bf25bcd2b225b[log] [tgz]
authorNathan Gough <thenatog@gmail.com>Wed Apr 06 16:25:19 2022 -0400
committerNathan Gough <thenatog@gmail.com>Wed Apr 06 16:25:19 2022 -0400
treeb75674607570d842a3bec60058bfbd165157a404
parent04479c3faa63fb0c56fa98377c868fd0403224fd [diff]
NIFI-9780 - Updated CVE-2022-26850 with bcrypt finding and downgraded to Low severity.

diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 0f5ee58..c07d08a 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs

@@ -68,13 +68,14 @@
 <div class="row" style="background-color: aliceblue">
     <div class="large-12 columns">
         <p><a id="CVE-2022-26850" href="#CVE-2022-26850"><strong>CVE-2022-26850</strong></a>: Apache NiFi insufficiently protected credentials</p>
-        <p>Severity: <strong>Medium</strong></p>
+        <p>Severity: <strong>Low</strong></p>
         <p>Versions Affected:</p>
         <ul>
             <li>Apache NiFi 1.14.0 - 1.15.3</li>
         </ul>
         </p>
-        <p>Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access.</p>
+        <p>Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. <b>The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password</b>. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access.</p>
+            <p>Bcrypt is a password-hashing algorithm that incorporates a random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers.</p>
         <p>Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.</p>
         <p>Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: <a href="https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq" target="_blank">JLLeitschuh Github</a></p>
         <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850" target="_blank">Mitre Database: CVE-2022-26850</a></p>