Skip to main content

Nifi CVE-2024-52067

MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2024-11-21 security@apache.org
6.9
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Green

Primary rating from Vendor (apache) · only source for this CVE.

CVSS VectorVendor: apache

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Green
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Nov 21, 2024 - 11:15 cve.org
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on org.apache.nifi:nifi-framework-core (1 direct, 4 indirect)

Ecosystem-wide dependent count for version 1.16.0.

DescriptionCVE.org

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.

AnalysisAI

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-532. Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration. Affected products include: Apache Nifi. Version information: through 1.28.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Nifi

View all
CVE-2023-34468 HIGH POC
8.8 Jun 12

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe

CVE-2017-5636 CRITICAL
9.8 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization

CVE-2018-1309 CRITICAL
9.8 May 23

Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-36542 HIGH
8.8 Jul 29

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev

CVE-2022-33140 HIGH
8.8 Jun 15

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne

CVE-2019-12421 HIGH
8.8 Nov 19

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF

CVE-2021-20190 HIGH
8.1 Jan 19

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp

CVE-2017-5635 HIGH
7.5 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to

CVE-2017-7667 HIGH
7.5 Jun 12

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami

CVE-2026-44914 HIGH
7.5 Jun 20

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Res

CVE-2023-22832 HIGH
7.5 Feb 10

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references

CVE-2022-29265 HIGH
7.5 Apr 30

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu

Share

CVE-2024-52067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy