Insertion of Sensitive Information into Externally-Accessible File or Directory Affecting org.apache.nifi:nifi-mongodb-services package, versions [1.13.0,2.3.0)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JAVA-ORGAPACHENIFI-9403308
published13 Mar 2025
disclosed12 Mar 2025
creditRobert Creese

Report a new vulnerability Found a mistake?

Introduced: 12 Mar 2025

NewCVE-2025-27017 (opens in a new tab) CWE-538 (opens in a new tab)

How to fix?

Upgrade org.apache.nifi:nifi-mongodb-services to version 2.3.0 or higher.

Overview

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to the inclusion of sensitive credentials in provenance events. An attacker with read access to the provenance events can gain unauthorized access to MongoDB credentials by viewing the provenance records.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
High
User Interaction (UI)
None
Safety (S)
Partial
Automatable (AU)
Yes
Recovery (R)
Unreliable
Value Density (V)
Concentrated
Vulnerability Response Effort (RE)
Low
Provider Urgency (U)
Green

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
None