Apache NiFi Missing Authorization Vulnerability for Restricted Component Updates

A vulnerability exists in Apache NiFi versions 1.1.0 prior to 2.8.0, where the framework fails to enforce proper authorization when updating configuration properties on extension components marked with the Restricted annotation. This annotation indicates that additional privileges are required to add the component to the flow configuration. However, the authorization framework did not verify the restricted status during property updates, allowing less privileged users to modify properties of components that had been previously added by more privileged users. This issue does not affect Apache NiFi installations that enforce different levels of authorization for Restricted components, as those installations already use write permissions as the security boundary.

Impact

Exploitation of this vulnerability could allow less privileged users to make unauthorized configuration changes to Restricted components, potentially leading to unintended modifications in the data flow or processor behavior.

Remediation

Users are advised to upgrade to Apache NiFi version 2.8.0 or later.