Main Vulnerability Database Vulnerabilities #VU106091

#VU106091 Information disclosure in Apache Nifi - CVE-2025-27017

Published: March 27, 2025

Vulnerability identifier: #VU106091

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-27017

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Nifi

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the application includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. A remote user with read access to the provenance events can obtain MongoDB credentials.

Remediation

Install updates from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2025/03/11/1
https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
https://lists.apache.org/thread/hkq7wbb01ldgt3lr4o3d1zrthqdzol5t

#VU106091 Information disclosure in Apache Nifi - CVE-2025-27017

Description

Remediation

External links

Please verify you're human