CVE-2022-33140 — HIGH (8.8)

Q: How severe is CVE-2022-33140?

CVE-2022-33140 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-33140?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Nifi, Apache Nifi Registry, Apple Macos, Linux Linux Kernel.

Vulnerability Description

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Nifi	>= 1.10.0, <= 1.16.2
Apache	Nifi Registry	>= 0.6.0, <= 1.16.2
Apple	Macos	-
Linux	Linux Kernel	-

Related Weaknesses (CWE)

CWE-78

References

https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhrMailing ListVendor Advisory
https://nifi.apache.org/security.html#CVE-2022-33140Issue TrackingVendor Advisory
https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhrMailing ListVendor Advisory
https://nifi.apache.org/security.html#CVE-2022-33140Issue TrackingVendor Advisory

FAQ

What is CVE-2022-33140?

CVE-2022-33140 is a vulnerability with a CVSS score of 8.8 (HIGH). The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operatin...

How severe is CVE-2022-33140?

CVE-2022-33140 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-33140?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Nifi, Apache Nifi Registry, Apple Macos, Linux Linux Kernel.