Medium
Apache NiFi could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of username and a bcrypt hash of the configured password in the Login Identity Providers configuration file when creating or updating credentials for single-user access. By gaining access to the configuration file, an attacker could exploit this vulnerability to obtain username and password information, and use this information to launch further attacks against the affected system.
Information Disclosure
Apache
Apache NiFi 1.15.0
Upgrade to the latest version of Apache NiFi, available from the Apache Web site.