Main Vulnerability Database Vulnerabilities #VU106091

Information disclosure in Apache Nifi - CVE-2025-27017

Published: March 27, 2025

Vulnerability identifier: #VU106091

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-27017

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Nifi

Detailed vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the application includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. A remote user with read access to the provenance events can obtain MongoDB credentials.

How to mitigate CVE-2025-27017

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2025/03/11/1
https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
https://lists.apache.org/thread/hkq7wbb01ldgt3lr4o3d1zrthqdzol5t

Information disclosure in Apache Nifi - CVE-2025-27017

Detailed vulnerability description

How to mitigate CVE-2025-27017

Sources

Please verify you're human