This is an automated email from the ASF dual-hosted git repository. exceptionfactory pushed a commit to branch main-staging in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit 857f21c92d9dc0d0ba9fb8a263db11c1202e08d9 Author: Pierre Villard <[email protected]> AuthorDate: Tue Mar 11 16:22:40 2025 +0100 NIFI-14272 - Published CVE-2025-27017 (cherry picked from commit ddc5d99ad662e07f7f4cc0d7fea63f86f46555ba) --- content/documentation/security.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/documentation/security.md b/content/documentation/security.md index 9c9f7efc..6fca6225 100644 --- a/content/documentation/security.md +++ b/content/documentation/security.md @@ -63,6 +63,25 @@ Severity ratings represent the determination of project members based on an eval # Published Vulnerabilities The following announcements include published vulnerabilities that apply directly to Apache NiFi components. + +{{< vulnerability +id="CVE-2025-27017" +title="Potential Insertion of MongoDB Password in Provenance Record" +published="2025-03-11" +severity="Medium" +products="Apache NiFi" +affectedVersions="1.13.0 to 2.2.0" +fixedVersion="2.3.0" +jira="NIFI-14272" +pullRequest="9723" +reporter="Robert Creese" >}} + +Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi +provenance events that MongoDB components generate during processing. An authorized user with read access to the +provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the +recommended mitigation, which removes the credentials from provenance event records. + +{{</ vulnerability >}} {{< vulnerability id="CVE-2024-56512"
