CVE-2020-1942: Insertion of Sensitive Information into Log File
(updated )
In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.
References
- github.com/advisories/GHSA-7q8g-gpfp-v8gx
- github.com/apache/nifi/commit/95746d346cddbd6134c4b28fdc39d5813a626f97
- github.com/apache/nifi/commit/d7c29f46378379fb596e4d1e59d1a3c41063db5b
- github.com/apache/nifi/pull/4028
- issues.apache.org/jira/browse/NIFI-7079
- nifi.apache.org/security.html
- nvd.nist.gov/vuln/detail/CVE-2020-1942
Code Behaviors & Features
Detect and mitigate CVE-2020-1942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →