CVE-2020-9486: Inclusion of Sensitive Information in Log Files

October 1, 2020 (updated July 30, 2023)

In Apache NiFi, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.

References

github.com/apache/nifi/pull/4222/files
nifi.apache.org/security
nvd.nist.gov/vuln/detail/CVE-2020-9486

Detect and mitigate CVE-2020-9486 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →