CVE-2024-52067 MEDIUM

CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log

Vendor Apache Software Foundation

Product Apache NiFi

Weakness CWE-532 · Sensitive info in logs

Published November 21, 2024

Last update November 21, 2024

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/AU:Y/R:U/V:D/RE:L/U:Green

What the vulnerability does

Description

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.

Key dates

Disclosure timeline

November 21, 2024 CVE published

November 21, 2024 Record updated

Identifiers

CVE CVE-2024-52067

CWE CWE-532

CVSS 6.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache NiFi

Affected ≥ 1.16.0 and ≤ 1.28.0

Vendor Apache Software Foundation

Product Apache NiFi

Affected ≥ 2.0.0-M1 and ≤ 2.0.0-M4