GHSA-7q8g-gpfp-v8gx

Source

https://github.com/advisories/GHSA-7q8g-gpfp-v8gx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-7q8g-gpfp-v8gx/GHSA-7q8g-gpfp-v8gx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7q8g-gpfp-v8gx

Aliases

CVE-2020-1942

Published

2022-01-06T20:40:58Z

Modified

2024-02-16T08:20:34.045752Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Insertion of Sensitive Information into Log File in Apache NiFi

Details

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

Database specific

{
    "nvd_published_at": "2020-02-11T21:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-532"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T15:49:09Z"
}

References

Affected packages

Maven / org.apache.nifi:nifi-framework-core

Package

Name: org.apache.nifi:nifi-framework-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.nifi/nifi-framework-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.0.1

Fixed

1.12.0-RC1

Affected versions

0.*

0.0.1-incubating

0.0.2-incubating

0.1.0-incubating

0.2.0-incubating

0.2.1

0.3.0

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

1.*

1.0.0-BETA

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.9.2

1.10.0

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

Database specific

{
    "last_known_affected_version_range": "<= 1.11.0"
}

Maven / org.apache.nifi:nifi-security-utils