CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log
6.9
CVSS Score
4.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.34741%
CWE
Published
2/11/2025
Updated
2/11/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Green
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.nifi:nifi-framework-core | maven | >= 1.16.0, < 1.28.1 | 1.28.1 |
| org.apache.nifi:nifi-framework-core | maven | >= 2.0.0-M1, <= 2.0.0-M4 | 2.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from debug logging of Parameter Context values during flow synchronization. The GitHub patch shows removal of a code block in VersionedFlowSynchronizer.java that: 1) Checked if debug logging was enabled 2) Collected parameter values 3) Logged them using logger.debug(). This matches the vulnerability description where authorized admins could enable debug logging to expose sensitive parameters. The affected function updateParameterContext() was modified in the patch, confirming it as the vulnerable location.