CVE-2025-27017

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

CVSS

No CVSS.

References

Link	Resource
https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
http://www.openwall.com/lists/oss-security/2025/03/11/1

Configurations

No configuration.

History

12 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-12 17:15

Updated : 2025-03-12 17:15

NVD link : CVE-2025-27017

Mitre link : CVE-2025-27017

CVE.ORG link : CVE-2025-27017

JSON object : View

Products Affected

No product.

CWE

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

{"id": "CVE-2025-27017", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 6.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-12T17:15:50.327", "references": [{"url": "https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q", "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/11/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Received", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-538"}]}], "descriptions": [{"lang": "en", "value": "Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records."}], "lastModified": "2025-03-12T17:15:50.327", "sourceIdentifier": "security@apache.org"}