Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
1.16.0, 1.15.2, 1.15.3
-
None
-
None
-
All Linux Distros
-
Important
Description
Using the GetFile and PutFile processors, an attacker could overwrite the configuration files to the /dev/null. Using a regex of (.*?), an attacker could point the GetFile Processor to the directory which the NiFi configuration files are located in. If the attacker is able to login, they can send the files to /dev/null on Linux, which although it will cause a warning in the PutFile processor, it will still process.
This does not require that the attacker have access to the underlying system, but rather just NiFi itself.
The ways to prevent this from happening would be to prevent the GetFile Processor and other NiFi processors from being able to directly read files from the configuration directories in a way that deletes the existing files and another option would be to have processors prevented from overwriting configuration directory files.