Main Vulnerability Database SB2025032715

SB2025032715 - MongoDB credentials disclosure in Apache NiFi

Published: March 27, 2025

Security Bulletin ID SB2025032715

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2025-27017)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the application includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. A remote user with read access to the provenance events can obtain MongoDB credentials.

Remediation

Install update from vendor's website.

References

http://www.openwall.com/lists/oss-security/2025/03/11/1
https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
https://lists.apache.org/thread/hkq7wbb01ldgt3lr4o3d1zrthqdzol5t