org.apache.nifi:nifi-security-utils@1.10.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.nifi:nifi-security-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cryptographic Issues

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in {{nifi.properties}} which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}. This algorithm:

  • uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4]
  • uses a single iteration count [5][6]
  • limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255]

This is considered insecure practice.

How to fix Cryptographic Issues?

Upgrade org.apache.nifi:nifi-security-utils to version 1.14.0 or higher.

[0,1.14.0)
  • M
Information Exposure

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Information Exposure. The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

How to fix Information Exposure?

Upgrade org.apache.nifi:nifi-security-utils to version 1.12.0 or higher.

[1.10.0,1.12.0)
  • H
Information Exposure

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Information Exposure. The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

How to fix Information Exposure?

Upgrade org.apache.nifi:nifi-security-utils to version 1.11.1 or higher.

[,1.11.1)