CVE-2024-52067

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52067

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52067.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52067

Aliases

GHSA-v3vc-6qcv-4vrx

Published

2024-11-21T11:15:35Z

Modified

2025-02-12T02:44:54.639291Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type: GIT
Repo: https://github.com/apache/nifi
Events: Introduced

b019a9191f1c83bc7f547dc02c1b679b8936acee

Fixed

883338fe28883733417d10f6ffa9319e75f5ea06

Affected versions

nifi-1.*

nifi-1.16.0-RC3

nifi-1.17.0-RC2

nifi-1.18.0-RC4

nifi-1.19.0-RC1

nifi-1.20.0-RC1

nifi-1.21.0-RC2

nifi-1.22.0-RC1

nifi-1.23.0-RC3

nifi-1.24.0-RC5

nifi-1.25.0-RC1

nifi-1.26.0-RC1

nifi-1.27.0-RC2

nifi-1.28.0-RC1

rel/nifi-1.*

rel/nifi-1.16.0

rel/nifi-1.17.0

rel/nifi-1.18.0

rel/nifi-1.19.0

rel/nifi-1.20.0

rel/nifi-1.21.0

rel/nifi-1.22.0

rel/nifi-1.23.0

rel/nifi-1.24.0

rel/nifi-1.25.0

rel/nifi-1.26.0

rel/nifi-1.27.0

rel/nifi-1.28.0