Main Vulnerability Database Vulnerabilities #VU24700

Information disclosure in Apache Nifi - CVE-2020-1928

Published: January 28, 2020

Vulnerability identifier: #VU24700

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-1928

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Nifi

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. A remote attacker can gain unauthorized access to sensitive information on the system.

How to mitigate CVE-2020-1928

Install updates from vendor's website.

Sources

https://nifi.apache.org/security.html#CVE-2020-1928

Information disclosure in Apache Nifi - CVE-2020-1928

Detailed vulnerability description

How to mitigate CVE-2020-1928

Sources

Please verify you're human