Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Thu, 21 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 21 Nov 2024 09:45:00 +0000

Type Values Removed Values Added
Description Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.
Title Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/AU:Y/R:U/V:D/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-11-21T09:28:43.910Z

Updated: 2024-11-21T15:37:48.210Z

Reserved: 2024-11-05T19:48:02.758Z

Link: CVE-2024-52067

cve-icon Vulnrichment

Updated: 2024-11-21T10:03:44.345Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-21T11:15:35.007

Modified: 2024-11-21T13:57:24.187

Link: CVE-2024-52067

cve-icon Redhat

No data.