Vulnerability Description
From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Nifi Minifi C\+\+ | >= 0.5.0, < 0.10.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/08/24/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3
- https://www.openwall.com/lists/oss-security/2021/08/24/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/08/24/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3
- https://www.openwall.com/lists/oss-security/2021/08/24/1Mailing ListThird Party Advisory
FAQ
What is CVE-2021-33191?
CVE-2021-33191 is a vulnerability with a CVSS score of 9.8 (CRITICAL). From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted...
How severe is CVE-2021-33191?
CVE-2021-33191 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-33191?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Nifi Minifi C\+\+.