Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 24 Aug 2021 08:32:18 +0000
From: Arpad Boda <>
Subject: CVE-2021-33191: Apache NiFi - MiNiFi C++: MiNiFi CPP arbitrary
 script execution is possible on the agent's host machine through the c2


>From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. 
This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update"
command. Said command is then executed using the same privileges as the application binary.  This was addressed in version 0.10.0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.