Cyber Resilience

CVE-2024-56512

Low

Published: 28 December 2024

Published
28 December 2024
Modified
11 February 2025
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Green
EPSS Score 0.3761 97.3th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56512 is a low-severity Not Using Complete Mediation (CWE-638) vulnerability in Apache Nifi. Its CVSS base score is 2.1 (Low).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache NiFi versions 1.10.0 through 2.0.0 contain an authorization flaw that omits fine-grained permission checks when a new Process Group is created. The affected components are Parameter Contexts bound to the group, along with any referenced Controller Services and Parameter Providers. The issue occurs only under component-based authorization policies and only when the creating user already holds the right to instantiate Process Groups.

An authenticated user with Process Group creation rights can therefore bind to a Parameter Context without triggering an authorization decision, later retrieving its non-sensitive parameter values. The same user can also reference existing Controller Services or Parameter Providers that would normally be inaccessible, effectively exercising those components inside the newly created group.

Public advisories from the Apache NiFi project state that the recommended mitigation is to upgrade to version 2.1.0, which enforces the missing authorization checks on Parameter Context, Controller Service, and Parameter Provider references at Process Group creation time. The current EPSS score of 0.3761 with a peak of 0.4054 does not indicate a material rise from a low baseline.

EU & UK References

Vulnerability details

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases…

more

where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group. Creating a new Process Group can also include referencing existing Controller Services or Parameter Providers. The framework did not check user authorization for referenced Controller Services or Parameter Providers, enabling clients to create Process Groups and use these components that were otherwise unauthorized. This vulnerability is limited in scope to authenticated users authorized to create Process Groups. The scope is further limited to deployments with component-based authorization policies. Upgrading to Apache NiFi 2.1.0 is the recommended mitigation, which includes authorization checking for Parameter and Controller Service references on Process Group creation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
nifi
1.10.0 — 2.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

References