CVE-2019-10083
Description
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi API response for Process Group updates exposes unauthorized processor and controller service details, leading to information disclosure.
CVE-2019-10083 is an information disclosure vulnerability in Apache NiFi versions 1.3.0 through 1.9.2. When a user updates a Process Group via the REST API, the server response includes the full contents of the Process Group at the top level, including details about processors and controller services. This occurs even if the requesting user does not have read access to those components [2].
Exploitation requires an authenticated user with permission to update a Process Group. The vulnerability lies in the API endpoint's response handling, which fails to filter out components the user is not authorized to read. An attacker with update privileges can trigger this by sending an update request to a Process Group and inspecting the response.
The impact is unauthorized disclosure of sensitive configuration details, such as processor properties and controller service settings. This could reveal credentials, connection strings, or other secrets embedded in component configurations, potentially leading to further compromise.
The vulnerability was fixed in NiFi versions after 1.9.2. Users should upgrade to a patched release. No workaround is available; restricting API access to trusted users can reduce risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-web-apiMaven | >= 1.3.0, < 1.10.0 | 1.10.0 |
org.apache.nifi:nifiMaven | >= 1.3.0, < 1.10.0 | 1.10.0 |
Affected products
3- NiFi/NiFidescription
- ghsa-coords2 versions
>= 1.3.0, < 1.10.0+ 1 more
- (no CPE)range: >= 1.3.0, < 1.10.0
- (no CPE)range: >= 1.3.0, < 1.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-26p8-xrj2-mv53ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10083ghsaADVISORY
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.