org.apache.nifi:nifi-security-utils@1.12.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.nifi:nifi-security-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cryptographic Issues

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in {{nifi.properties}} which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}. This algorithm:

  • uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4]
  • uses a single iteration count [5][6]
  • limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255]

This is considered insecure practice.

How to fix Cryptographic Issues?

Upgrade org.apache.nifi:nifi-security-utils to version 1.14.0 or higher.

[0,1.14.0)