Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2NDQtcHI1di12cHBm
Insertion of Sensitive Information into Log File in Apache NiFi Stateless
In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
Permalink: https://github.com/advisories/GHSA-g644-pr5v-vppfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2NDQtcHI1di12cHBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-g644-pr5v-vppf, CVE-2020-9486
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9486
- https://github.com/apache/nifi/commit/148537d64a017b73160b0d49943183c18f883ab0
- https://nifi.apache.org/security#CVE-2020-9486
- https://github.com/advisories/GHSA-g644-pr5v-vppf
Blast Radius: 7.8
Affected Packages
maven:org.apache.nifi:nifi-stateless
Dependent packages: 3Dependent repositories: 11
Downloads:
Affected Version Ranges: >= 1.10.0, <= 1.11.4
Fixed in: 1.12.0-RC1
All affected versions: 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4
All unaffected versions: 1.12.0, 1.12.1, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0, 1.26.0, 1.27.0