{"id":"GHSA-g644-pr5v-vppf","summary":"Insertion of Sensitive Information into Log File in Apache NiFi Stateless","details":"In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.","aliases":["BIT-nifi-2020-9486","CVE-2020-9486"],"modified":"2025-09-15T07:42:08.977790Z","published":"2022-01-06T20:41:02Z","database_specific":{"severity":"HIGH","github_reviewed_at":"2021-03-29T16:28:50Z","github_reviewed":true,"nvd_published_at":"2020-10-01T20:15:00Z","cwe_ids":["CWE-532"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9486"},{"type":"WEB","url":"https://github.com/apache/nifi/commit/148537d64a017b73160b0d49943183c18f883ab0"},{"type":"PACKAGE","url":"https://github.com/apache/nifi"},{"type":"WEB","url":"https://nifi.apache.org/security#CVE-2020-9486"}],"affected":[{"package":{"name":"org.apache.nifi:nifi-stateless","ecosystem":"Maven","purl":"pkg:maven/org.apache.nifi/nifi-stateless"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.10.0"},{"fixed":"1.12.0-RC1"}]}],"versions":["1.10.0","1.11.0","1.11.1","1.11.2","1.11.3","1.11.4"],"database_specific":{"last_known_affected_version_range":"\u003c= 1.11.4","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-g644-pr5v-vppf/GHSA-g644-pr5v-vppf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}