CVE-2025-66524
中文标题:
(暂无数据)
英文标题:
Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor
漏洞描述
中文描述:
(暂无数据)
英文描述:
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Apache Software Foundation | Apache NiFi | - | ≤ 2.6.0 | - |
cpe:2.3:a:apache_software_foundation:apache_nifi:*:*:*:*:*:*:*:*
|
| apache | nifi | * | - | - |
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
|
| apache | nifi | 2.7.0 | - | - |
cpe:2.3:a:apache:nifi:2.7.0:rc1:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Green
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-66524 |
2025-12-21 02:11:29 | 2026-01-12 02:12:25 |
| NVD | nvd_CVE-2025-66524 |
2026-01-09 03:00:24 | 2026-01-12 02:28:04 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 3
- references_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']