Cyber Resilience

CVE-2022-33140

HighRCE

Published: 15 June 2022

Published
15 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0388 88.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-33140 is a high-severity OS Command Injection (CWE-78) vulnerability in Apache Nifi. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an OS command injection flaw (CWE-78) in the optional ShellUserGroupProvider component of Apache NiFi versions 1.10.0 through 1.16.2 and Apache NiFi Registry versions 0.6.0 through 1.16.2. The provider fails to sanitize arguments passed to group-resolution commands on Linux and macOS, enabling injection when the feature is explicitly enabled in the Authorizers configuration. It is not present in default installations.

An authenticated user with elevated privileges can exploit the issue to execute arbitrary operating-system commands. In NiFi this requires authorization to modify access policies; in NiFi Registry it requires authorization to read user groups. Successful exploitation yields full command execution under the privileges of the NiFi or Registry process.

Apache advisories state that the fix removes command formatting derived from user-supplied arguments and recommend upgrading to patched releases beyond 1.16.2. The referenced security notices provide the updated builds and configuration guidance for disabling or replacing the ShellUserGroupProvider.

EPSS for the CVE rose from a low baseline to a peak of 0.1184 on 2025-01-22 before receding to the current value of 0.0388, indicating a period of increased exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included…

more

in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
nifi
1.10.0 — 1.16.2
apache
nifi registry
0.6.0 — 1.16.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References