logo

Database

Sensitive information in source code In org.apache.nifi:nifi-mongodb-services

Description

Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-270172. NVD-2025-270173. OSV-2025-270174. GCVE-2025-27017

References

1. https://github.com/apache/nifi/commit/48d684500f6ad70f65bfd510db054590c5bc74a92. https://issues.apache.org/jira/browse/NIFI-142723. https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q4. http://www.openwall.com/lists/oss-security/2025/03/11/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.