Access Control: Apache NiFi - Remote Code Execution¶

Identifier: apache_nifi_rce

Scanner(s) Support¶

Description¶

Apache NiFi is designed for data streaming. It supports highly configurable data routing, transformation, and system mediation logic that indicate graphs. The system has unauthorized remote command execution vulnerability.

Reference:

• https://github.com/imjdl/Apache-NiFi-Api-RCE
• https://labs.withsecure.com/tools/metasploit-modules-for-rce-in-apache-nifi-and-kong-api-gateway
• https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt

Configuration¶

Example¶

Example configuration:

---
security_tests:
  apache_nifi_rce:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.