CVE-2020-1942

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

Published: Feb 11, 2020
Updated: May 9, 2024
CVE: CVE-2020-1942
GHSA: GHSA-7q8g-gpfp-v8gx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200
CWE-532

Affected Software
References

Software	From	Fixed in
apache / nifi	0.0.1	1.11.0.x
org.apache.nifi / nifi	0.0.1	1.12.0-RC1

https://github.com/apache/nifi/commit/95746d346cddbd6134c4b28fdc39d5813a626f97
https://github.com/apache/nifi/commit/d7c29f46378379fb596e4d1e59d1a3c41063db5b
https://nifi.apache.org/security.html#CVE-2020-1942

Vulnerability Database

CVE-2020-1942

Deep Security Visibility Without the Complexity