Moderate severityNVD Advisory· Published Mar 12, 2025· Updated Mar 12, 2025
Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
CVE-2025-27017
Description
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-mongodb-servicesMaven | >= 1.13.0, < 2.3.0 | 2.3.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-35gq-cvrm-xf94ghsaADVISORY
- lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5qghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27017ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/11/1ghsaWEB
- github.com/apache/nifi/commit/48d684500f6ad70f65bfd510db054590c5bc74a9ghsaWEB
- issues.apache.org/jira/browse/NIFI-14272ghsaWEB
News mentions
0No linked articles in our index yet.