Miggo Logo
Miggo Vulnerability Database
CVE-2020-1942

CVE-2020-1942:
Insertion of Sensitive Information into Log File in Apache NiFi

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1942
GHSA ID
GHSA-7q8g-gpfp-v8gx
EPSS Score
0.38357%
CWE
CWE-200
Published
1/6/2022
Updated
7/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.nifi:nifi-framework-coremaven>= 0.0.1, <= 1.11.01.12.0-RC1
org.apache.nifi:nifi-security-utilsmaven>= 0.0.1, <= 1.11.01.12.0-RC1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from flow fingerprints containing sensitive descriptor values. The FingerprintFactory's parameter handling methods:

  1. getLoggableRepresentationOfSensitiveValue initially returned decrypted values (as shown in pre-patch code comments)
  2. addParameter called this method when constructing fingerprint strings

Commit d7c29f4 shows the fix introduced Argon2SecureHasher to replace plaintext logging. The pre-patch versions of these functions lacked proper value masking, matching the CVE description of sensitive data exposure in flow comparison logs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Ni*i *.*.* to *.**.*, t** *low *in**rprint ***tory **n*r*t** *low *in**rprints w*i** in*lu*** s*nsitiv* prop*rty **s*riptor v*lu*s. In t** *v*nt * no** *tt*mpt** to join * *lust*r *n* t** *lust*r *low w*s not in**rit**l*, t** *low *in**rpri

Reasoning

T** vuln*r**ility st*mm** *rom *low *in**rprints *ont*inin* s*nsitiv* **s*riptor v*lu*s. T** *in**rprint***tory's p*r*m*t*r **n*lin* m*t*o*s: *. **tLo****l*R*pr*s*nt*tionO*S*nsitiv*V*lu* initi*lly r*turn** ***rypt** v*lu*s (*s s*own in pr*-p*t** *o*