Description
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/03/11/1
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
Scores
CVSS v3
6.5
EPSS
0.0114
EPSS Percentile
62.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-538
Status
published
Products (2)
apache/nifi
1.13.0 - 2.3.0
org.apache.nifi/nifi-mongodb-services
1.13.0 - 2.3.0Maven
Published
Mar 12, 2025
Tracked Since
Feb 18, 2026