CVE-2021-33191

moderate-risk
Published 2021-08-24

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0

Do I need to act?

~
3.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 60d5bc70b567fa7c6689f313a75be17fe7c94080
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Nifi Minifi C\+\+

Affected Vendors

Apache

References (6)

Mailing List http://www.openwall.com/lists/oss-security/2021/08/24/1
https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3...
Mailing List https://www.openwall.com/lists/oss-security/2021/08/24/1
Mailing List http://www.openwall.com/lists/oss-security/2021/08/24/1
https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3...
Mailing List https://www.openwall.com/lists/oss-security/2021/08/24/1
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal