PT-2025-11109 · Apache · Apache Nifi
Robert Creese
·
Published
2025-03-11
·
Updated
2025-07-16
·
CVE-2025-27017
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green |
Name of the Vulnerable Software and Affected Versions:
Apache NiFi versions 1.13.0 through 2.2.0
Description:
The issue concerns the inclusion of sensitive authentication credentials, specifically the
username and password used to connect to MongoDB, in the NiFi provenance events generated by MongoDB components during processing. An authorized user with read access to these events may be able to view the credentials.Recommendations:
For Apache NiFi versions 1.13.0 through 2.2.0, upgrade to Apache NiFi 2.3.0 to remove the credentials from provenance event records.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi