{"id":"CVE-2021-33191","details":"From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an \"agent-update\" command which was designed to patch the application binary. This \"patching\" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a \"c2-update\" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0","modified":"2026-04-11T16:25:56.286947Z","published":"2021-08-24T12:15:07.307Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3758f28aa60f032%40%3Cannounce.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/08/24/1"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2021/08/24/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/nifi-minifi-cpp","events":[{"introduced":"5f3b3973e37def4d8ed2753837986d121fd58322"},{"fixed":"60d5bc70b567fa7c6689f313a75be17fe7c94080"}],"database_specific":{"versions":[{"introduced":"0.5.0"},{"fixed":"0.10.0"}]}}],"versions":["0.8.0","minifi-cpp-0.10.0-RC1","minifi-cpp-0.5.0-RC1","minifi-cpp-0.6.0-RC1","minifi-cpp-0.6.0-RC2","minifi-cpp-0.9.0-RC1","minifi-cpp-0.9.0-RC2","rel/minifi-cpp-0.5.0","rel/minifi-cpp-0.6.0","rel/minifi-cpp-0.7.0","rel/minifi-cpp-0.9.0","v0.8.0"],"database_specific":{"vanir_signatures":[{"target":{"file":"extensions/librdkafka/tests/ConsumeKafkaTests.cpp"},"signature_type":"Line","id":"CVE-2021-33191-b4fa8fd1","deprecated":false,"source":"https://github.com/apache/nifi-minifi-cpp/commit/60d5bc70b567fa7c6689f313a75be17fe7c94080","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["45581895519790946967250934562794875588","151016016327297584032057121163926636646","314908982928140470750857460926719267199","71341333786924621204946705680210143174","165719634024667977330940939728857333604","58973793916061874377499866973162585776","108892000830333068251978432811287265972","222682067134033337532989291225059412978","163886782563618303836103696975440619181","7948864718235082529724167424159538356","297736869567078051706616618477156666104","69642665677732161563076330047730367423","288244144923987386073789665914435222895","128848792111861270091895155091947350850","310609493758370830077401134566376271985","8007616920979349810866771208826984492","168392778831125291627255422628557502781","142112813547317268413875778366731100513","114330525453235516346615848320167322001","305086334053146969892002765278238048607","134719923705061201848279200159970325350","88758680868365217704459493958203591983","186199130704259739002793895182956688628","87491922719095050720150518425708046105","13693550200388959513630470151773926784","252350572943124561884482201671065231626","113773837267095747133581535873427460951","297768142834184905768806633564275138266","245257710182673518899518098109815329678","146218506966919159475019630358227722130","308131536253435157437539162032057064648","126283221487650246209534056886867358813","271576129515329509902152319179203951508","6924368914659256471682406321478732305"]}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33191.json","vanir_signatures_modified":"2026-04-11T16:25:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}