Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc0ZmotY2NyNi03cGNw

Apache NiFi Insertion of Sensitive Information into Log File

An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.

Permalink: https://github.com/advisories/GHSA-w4fj-ccr6-7pcp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc0ZmotY2NyNi03cGNw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 7 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-w4fj-ccr6-7pcp, CVE-2020-1928
References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-1928
• https://github.com/apache/nifi/commit/42cb6e84898e66672878f61f99543d6af3c0a567
• https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E
• https://nifi.apache.org/security.html#CVE-2020-1928
• https://github.com/apache/nifi/pull/3935
• https://github.com/advisories/GHSA-w4fj-ccr6-7pcp

Repository: https://github.com/apache/nifi
Blast Radius: 9.7

Affected Packages