id: apache-nifi-rce

info:
  name: Apache NiFi  - Remote Code Execution
  author: arliya
  severity: critical
  description: |
    Apache NiFi is designed for data streaming. It supports highly configurable data routing, transformation, and system mediation logic that indicate graphs. The system has unauthorized remote command execution vulnerability.
  reference:
    - https://github.com/imjdl/Apache-NiFi-Api-RCE
    - https://labs.withsecure.com/tools/metasploit-modules-for-rce-in-apache-nifi-and-kong-api-gateway
    - https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt
  classification:
    cpe: cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: "title:\"NiFi\""
    product: nifi
    vendor: apache
  tags: packetstorm,apache,nifi,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/nifi-api/process-groups/root"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "revision"
          - "canRead"
          - "permissions"
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: json
        json:
          - .id
# digest: 4a0a00473045022005dac3140ddcb76d7f367cb15fd5ddfade055a97c443c3d7c960d862d60e6216022100b51a687f16600b21637ce9a31b3a8374d5a781aaf44b31ec864dbf271da943a1:922c64590222798bb761d5b6d8e72950