CVE-2025-27017

Source
https://cve.org/CVERecord?id=CVE-2025-27017
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27017.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27017
Aliases
Published
2025-03-12T16:19:45.206Z
Modified
2026-07-15T01:48:57.038157519Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green CVSS Calculator
Summary
Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
Details

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Database specific
{
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-538"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.13.0"
                },
                {
                    "last_affected": "2.2.0"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "1.13.0"
                },
                {
                    "fixed": "2.2.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27017.json"
}
References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type
GIT
Repo
https://github.com/apache/nifi
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "2.3.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27017.json"