CVE-2020-9486 – org.apache.nifi:nifi-stateless

Package

Manager: maven
Name: org.apache.nifi:nifi-stateless
Vulnerable Version: >=1.10.0 <1.12.0-rc1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0058 pctl0.67934

Details

Insertion of Sensitive Information into Log File in Apache NiFi Stateless In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

Metadata

Created: 2022-01-06T20:41:02Z
Modified: 2023-09-12T15:04:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-g644-pr5v-vppf/GHSA-g644-pr5v-vppf.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-g644-pr5v-vppf
Finding: F091
Auto approve: 1