Apache · Apache Nifi · CVE-2025-27017
Name of the Vulnerable Software and Affected Versions:
Apache NiFi versions 1.13.0 through 2.2.0
Description:
The issue concerns the inclusion of sensitive authentication credentials, specifically the `username` and `password` used to connect to MongoDB, in the NiFi provenance events generated by MongoDB components during processing. An authorized user with read access to these events may be able to view the credentials.
Recommendations:
For Apache NiFi versions 1.13.0 through 2.2.0, upgrade to Apache NiFi 2.3.0 to remove the credentials from provenance event records.