CVE-2024-52067

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.16.0 through 1.28.0 Apache NiFi versions 2.0.0-M1 through 2.0.0-M4

Description The issue concerns the optional debug logging of Parameter Context values during the flow synchronization process in Apache NiFi. An authorized administrator with access to change logging levels could enable debug logging, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on the application flow configuration. Deployments with the default Logback configuration do not log Parameter Context values.

Recommendations For Apache NiFi versions 1.16.0 through 1.28.0, upgrade to Apache NiFi 1.28.1 to eliminate Parameter value logging from the flow synchronization process. For Apache NiFi versions 2.0.0-M1 through 2.0.0-M4, upgrade to Apache NiFi 2.0.0 to eliminate Parameter value logging from the flow synchronization process.