(nifi-site) branch main updated: NIFI-13993 Published CVE-2024-52067

Wed, 20 Nov 2024 09:30:46 -0800 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/main by this push:
     new c59e7450 NIFI-13993 Published CVE-2024-52067
c59e7450 is described below

commit c59e74508e59de76c8723b69ec6f7b536fe684e0
Author: exceptionfactory <[email protected]>
AuthorDate: Wed Nov 20 11:27:46 2024 -0600

    NIFI-13993 Published CVE-2024-52067
---
 content/documentation/security.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index 4d0c2311..f6031a25 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -64,6 +64,27 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2024-52067"
+title="Potential Insertion of Sensitive Parameter Values in Debug Log"
+published="2024-11-20"
+severity="Medium"
+products="Apache NiFi"
+affectedVersions="1.16.0 to 1.28.0 and 2.0.0-M1 to 2.0.0-M4"
+fixedVersion="1.28.1 and 2.0.0"
+jira="NIFI-13971"
+pullRequest="9489"
+reporter="David Handermann" >}}
+
+Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include 
optional debug logging of Parameter Context values
+during the flow synchronization process. An authorized administrator with 
access to change logging levels could enable debug logging
+for framework flow synchronization, causing the application to write Parameter 
names and values to the application log.
+Parameter Context values may contain sensitive information depending on 
application flow configuration.
+Deployments of Apache NiFi with the default Logback configuration do not log 
Parameter Context values.
+Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, 
eliminating Parameter value logging from the flow synchronization process 
regardless of the Logback configuration.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2024-45477"
 title="Improper Neutralization of Input in Parameter Description"

Reply via email to