org.apache.nifi:nifi-security-utils 1.6.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.nifi:nifi-security-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cryptographic Issues org.apache.nifi:nifi-security-utils is a system to process and distribute data. Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in `{{nifi.properties}}` which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to `{{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}`. This algorithm: uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4] uses a single iteration count [5][6] limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255] This is considered insecure practice. How to fix Cryptographic Issues? Upgrade `org.apache.nifi:nifi-security-utils` to version 1.14.0 or higher.	[0,1.14.0)
H Information Exposure org.apache.nifi:nifi-security-utils is a system to process and distribute data. Affected versions of this package are vulnerable to Information Exposure. The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. How to fix Information Exposure? Upgrade `org.apache.nifi:nifi-security-utils` to version 1.11.1 or higher.	[,1.11.1)
M Information Exposure org.apache.nifi:nifi-security-utils is a system to process and distribute data. Affected versions of this package are vulnerable to Information Exposure. The `XMLFileLookupService` allows trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. How to fix Information Exposure? Upgrade `org.apache.nifi:nifi-security-utils` to version 1.10.0 or higher.	[1.3.0,1.10.0)

Vulnerability

Vulnerable Version

Cryptographic Issues

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Cryptographic Issues. NiFi accepts a password and encryption algorithm in {{nifi.properties}} which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}}. This algorithm:

uses a digest function ({{MD5}}) which is not cryptographically secure [1][2][3][4]
uses a single iteration count [5][6]
limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255]

This is considered insecure practice.

How to fix Cryptographic Issues?

Upgrade org.apache.nifi:nifi-security-utils to version 1.14.0 or higher.

[0,1.14.0)

Information Exposure

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Information Exposure. The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

How to fix Information Exposure?

Upgrade org.apache.nifi:nifi-security-utils to version 1.11.1 or higher.

[,1.11.1)

Information Exposure

org.apache.nifi:nifi-security-utils is a system to process and distribute data.

Affected versions of this package are vulnerable to Information Exposure. The XMLFileLookupService allows trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

How to fix Information Exposure?

Upgrade org.apache.nifi:nifi-security-utils to version 1.10.0 or higher.

[1.3.0,1.10.0)

org.apache.nifi:nifi-security-utils@1.6.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?