BIT-nifi-2023-34212

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/nifi/BIT-nifi-2023-34212.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-nifi-2023-34212

Aliases

Published

2025-09-12T11:46:56.875Z

Modified

2025-09-15T07:42:08.778786Z

Summary

Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components

Details

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / nifi

Package

Name: nifi
Purl: pkg:bitnami/nifi

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.8.0

Last affected

1.21.0