org.apache.nifi:nifi-security-utils 1.11.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.nifi:nifi-security-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cryptographic Issues org.apache.nifi:nifi-security-utils is a system to process and distribute data. Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in `{{nifi.properties}}` which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to `{{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}`. This algorithm: uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4] uses a single iteration count [5][6] limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255] This is considered insecure practice. How to fix Cryptographic Issues? Upgrade `org.apache.nifi:nifi-security-utils` to version 1.14.0 or higher.	[0,1.14.0)
M Information Exposure org.apache.nifi:nifi-security-utils is a system to process and distribute data. Affected versions of this package are vulnerable to Information Exposure. The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. How to fix Information Exposure? Upgrade `org.apache.nifi:nifi-security-utils` to version 1.12.0 or higher.	[1.10.0,1.12.0)

Vulnerability

Vulnerable Version

Cryptographic Issues

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in {{nifi.properties}} which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}. This algorithm:

uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4]
uses a single iteration count [5][6]
limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255]

This is considered insecure practice.

How to fix Cryptographic Issues?

Upgrade org.apache.nifi:nifi-security-utils to version 1.14.0 or higher.

[0,1.14.0)

Information Exposure

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Information Exposure. The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

How to fix Information Exposure?

Upgrade org.apache.nifi:nifi-security-utils to version 1.12.0 or higher.

[1.10.0,1.12.0)

org.apache.nifi:nifi-security-utils@1.11.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?