CVE-2024-52067: 
Java vulnerability analysis and mitigation

Apache NiFi versions 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 contain a vulnerability (CVE-2024-52067) related to debug logging of Parameter Context values during flow synchronization. This vulnerability was discovered and reported on November 20, 2024, affecting the Apache NiFi dataflow system, which is designed for flow-based programming and supports powerful directed graphs of data routing, transformation, and system mediation logic (Security Online, NVD).

The vulnerability stems from optional debug logging functionality within NiFi's flow synchronization process. While not enabled by default, an authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, and a CVSS v4.0 score of 6.9 (Medium) (NVD).

The vulnerability could lead to the exposure of sensitive parameter values in debug logs, potentially compromising confidential information. Parameter Context values may contain sensitive information depending on application flow configuration, which could be leaked through these debug logs if the vulnerability is exploited (Security Online).

The recommended mitigation is to upgrade to either Apache NiFi 2.0.0 or 1.28.1. These versions have eliminated parameter value logging from the flow synchronization process, regardless of the Logback configuration, effectively patching the vulnerability (NVD).