CVE-2025-27017 MEDIUM

CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record

Vendor Apache Software Foundation

Product Apache NiFi

Weakness CWE-538

Published March 12, 2025

Last update March 12, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green

What the vulnerability does

Description

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Key dates

Disclosure timeline

March 12, 2025 CVE published

March 12, 2025 Record updated

Identifiers

CVE CVE-2025-27017

CWE CWE-538

CVSS 6.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache NiFi

Affected ≥ 1.13.0 and ≤ 2.2.0