[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2020-1942: Apache NiFi 0.0.1 to 1.11.0 information disclosure in logs
From: Andy LoPresto <alopresto () apache ! org>
Date: 2020-02-10 21:49:30
Message-ID: CE6967F1-2CD4-4A6E-89CF-75B2FE817EAE () apache ! org
[Download RAW message or body]
The https://nifi.apache.org/security.html <https://nifi.apache.org/security.html> page has been \
updated with 1 vulnerability discovered in previous NiFi versions which has been resolved in \
release 1.11.1. The severity of this issue was determined to be ‘important'. Questions about \
this vulnerability can be directed to security@nifi.apache.org \
<mailto:security@nifi.apache.org>.
CVE-2020-1942: Apache NiFi information disclosure in logs
Severity: Important
Versions Affected: Apache NiFi 0.0.1 - 1.11.0
Description: The flow fingerprint factory generated flow fingerprints which included sensitive \
property descriptor values. In the event a node attempted to join a cluster and the cluster \
flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, \
potentially containing sensitive values in plaintext.
Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which \
does not reveal the sensitive value. Users running any previous NiFi release should upgrade to \
the latest release.
Released: February 4, 2020
If you identify new security issues within the NiFi 1.11.1 release, please forward your report \
to security@nifi.apache.org <mailto:security@nifi.apache.org> and do not disclose the issue \
publicly. The security vulnerability reporting and disclosure process can be found here: \
https://www.apache.org/security/committers.html \
<https://www.apache.org/security/committers.html>.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic