This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/main by this push:
new ddc5d99a NIFI-14272 - Published CVE-2025-27017
ddc5d99a is described below
commit ddc5d99ad662e07f7f4cc0d7fea63f86f46555ba
Author: Pierre Villard <[email protected]>
AuthorDate: Tue Mar 11 16:22:40 2025 +0100
NIFI-14272 - Published CVE-2025-27017
---
content/documentation/security.md | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/content/documentation/security.md
b/content/documentation/security.md
index 9c9f7efc..6fca6225 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -63,6 +63,25 @@ Severity ratings represent the determination of project
members based on an eval
# Published Vulnerabilities
The following announcements include published vulnerabilities that apply
directly to Apache NiFi components.
+
+{{< vulnerability
+id="CVE-2025-27017"
+title="Potential Insertion of MongoDB Password in Provenance Record"
+published="2025-03-11"
+severity="Medium"
+products="Apache NiFi"
+affectedVersions="1.13.0 to 2.2.0"
+fixedVersion="2.3.0"
+jira="NIFI-14272"
+pullRequest="9723"
+reporter="Robert Creese" >}}
+
+Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to
authenticate with MongoDB in the NiFi
+provenance events that MongoDB components generate during processing. An
authorized user with read access to the
+provenance events of those processors may see the credentials information.
Upgrading to Apache NiFi 2.3.0 is the
+recommended mitigation, which removes the credentials from provenance event
records.
+
+{{</ vulnerability >}}
{{< vulnerability
id="CVE-2024-56512"
