GHSA-7q8g-gpfp-v8gx

Source

https://github.com/advisories/GHSA-7q8g-gpfp-v8gx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-7q8g-gpfp-v8gx/GHSA-7q8g-gpfp-v8gx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7q8g-gpfp-v8gx

Aliases

Published

2022-01-06T20:40:58Z

Modified

2025-09-15T07:42:06.368030Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Insertion of Sensitive Information into Log File in Apache NiFi

Details

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

Database specific

{
    "nvd_published_at": "2020-02-11T21:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-532"
    ],
    "github_reviewed_at": "2021-03-29T15:49:09Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven / org.apache.nifi:nifi-framework-core

Package

Name: org.apache.nifi:nifi-framework-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi-framework-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.0.1

Fixed

1.12.0-RC1

Affected versions

0.*

0.0.1-incubating

0.0.2-incubating

0.1.0-incubating

0.2.0-incubating

0.2.1

0.3.0

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

1.*

1.0.0-BETA

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.9.2

1.10.0

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

Database specific

last_known_affected_version_range

"<= 1.11.0"

Maven / org.apache.nifi:nifi-security-utils