CVE-2025-27017

Severity CVSS v4.0:

MEDIUM

Type:

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory

Publication date:

12/03/2025

Last modified:

16/07/2025

Description

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green CVSS v4.0 Severity and Metrics:

Base Score: 6.90 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:L/U:Green

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): None
Availability (SA): None
Safety (S): Present
Automatable (AU): Yes
Recovery (R): User
Value Density (V): Concentrated
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Green

Base Score 4.0

6.90

Severity 4.0

MEDIUM

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None