{"id":"CVE-2023-41180","details":"Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped,  disabling verification by default, when using HTTPS.\n\nMitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.\n\n","modified":"2026-03-14T12:14:57.617532Z","published":"2023-09-03T16:15:10.823Z","references":[{"type":"REPORT","url":"https://lists.apache.org/thread/b51f8csysg1pvgs6xjjrq5hrjrvfot1y"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/nifi-minifi-cpp","events":[{"introduced":"4389b9ac05e43e1dbf908e9014787d07c8a9cd05"},{"last_affected":"976b0a165387250a846d13e22b7084fa7c0fb9d3"}],"database_specific":{"versions":[{"introduced":"0.13.0"},{"last_affected":"0.14.0"}]}}],"versions":["minifi-cpp-0.13.0-RC1","minifi-cpp-0.13.0-RC2","minifi-cpp-0.14.0-RC1","rel/minifi-cpp-0.13.0","rel/minifi-cpp-0.14.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41180.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}