CVE-2020-1942 – org.apache.nifi:nifi-security-utils

Package

Manager: maven
Name: org.apache.nifi:nifi-security-utils
Vulnerable Version: >=0.0.1 <1.12.0-rc1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00165 pctl0.38061

Details

Insertion of Sensitive Information into Log File in Apache NiFi In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

Metadata

Created: 2022-01-06T20:40:58Z
Modified: 2021-07-28T18:31:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-7q8g-gpfp-v8gx/GHSA-7q8g-gpfp-v8gx.json
CWE IDs: ["CWE-200", "CWE-532"]
Alternative ID: GHSA-7q8g-gpfp-v8gx
Finding: F017
Auto approve: 1