GHSA-35gq-cvrm-xf94

Source

https://github.com/advisories/GHSA-35gq-cvrm-xf94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-35gq-cvrm-xf94/GHSA-35gq-cvrm-xf94.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-35gq-cvrm-xf94

Aliases

CVE-2025-27017

Published

2025-03-12T18:32:53Z

Modified

2025-03-13T00:12:13.815160Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green CVSS Calculator

Summary

Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record

Details

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Database specific

{
    "nvd_published_at": "2025-03-12T17:15:50Z",
    "cwe_ids": [
        "CWE-538"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T22:08:29Z"
}

References

Affected packages

Maven / org.apache.nifi:nifi-mongodb-services

Package

Name: org.apache.nifi:nifi-mongodb-services; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi-mongodb-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13.0

Fixed

2.3.0

Affected versions

1.*

1.13.0

1.13.1

1.13.2

1.14.0

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.16.3

1.17.0

1.18.0

1.19.0

1.19.1

1.20.0

1.21.0

1.22.0

1.23.0

1.23.1

1.23.2

1.24.0

1.25.0

1.26.0

1.27.0

1.28.0

1.28.1

2.*

2.0.0-M1

2.0.0-M2

2.0.0-M3

2.0.0-M4

2.0.0

2.1.0

2.2.0