[jira] [Resolved] (NIFI-14952) nifi-api/reporting-task too verbose during failed requests

Thu, 04 Dec 2025 18:55:09 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-14952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann resolved NIFI-14952.
-------------------------------------
    Resolution: Information Provided

> nifi-api/reporting-task too verbose during failed requests
> ----------------------------------------------------------
>
>                 Key: NIFI-14952
>                 URL: https://issues.apache.org/jira/browse/NIFI-14952
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi API
>    Affects Versions: 2.4.0, 2.5.0
>         Environment: RHEL 9
>            Reporter: WojciechWitos
>            Priority: Major
>              Labels: Security
>         Attachments: image-2025-09-10-09-53-40-894.png, 
> image-2025-09-10-09-54-52-967.png, image-2025-09-10-09-56-03-281.png, 
> image-2025-09-10-09-57-35-290.png
>
>
> It was found out that using a certain request, it is possible to enumerate 
> files and directories on the server - application returns descriptive error 
> that informs whether the requested script was found in the filesystem or not.
> Originally, application appends the "script file" value to default path, but 
> it was possible to specify other files using path traversal technique. It is 
> recommended to check if this is accepted behavior or an indicator of 
> vulnerability (in case only scripts in default path should be run).
> NiFi-reporting task is too verbose verbose in error messages, allowing 
> attacker to enumerate files and directories in the filesystem.
> The /nifi-api/reporting-tasks/ endpoint is too verbose in error messages, 
> allowing attacker to enumerate
> Error message indicating non existing file in cwd.
> !image-2025-09-10-09-57-35-290.png!
> Error message indicating existing directory outside of the application 
> location.
> !image-2025-09-10-09-53-40-894.png!
> Error message indicating existing file outside of the application location.
> !image-2025-09-10-09-54-52-967.png!
> In order to make this request work, there has to be Reporting Task existing. 
> reporting-tasks endpoint requires the reporting task identifier. The request 
> made:
> !image-2025-09-10-09-56-03-281.png!
> CWE-209:
> https://cwe.mitre.org/data/definitions/209.html
> CWE-200:
> https://cwe.mitre.org/data/definitions/200.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to