CVE-2023-34212

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-34212
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34212.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-34212
Aliases
Published
2023-06-12T16:15:10Z
Modified
2024-06-06T14:22:52.581601Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type
GIT
Repo
https://github.com/apache/nifi
Events

Affected versions

nifi-1.*

nifi-1.10.0-RC3
nifi-1.11.0-RC3
nifi-1.12.0-RC1
nifi-1.14.0-RC2
nifi-1.15.0-RC3
nifi-1.16.0-RC3
nifi-1.17.0-RC2
nifi-1.18.0-RC4
nifi-1.19.0-RC1
nifi-1.20.0-RC1
nifi-1.21.0-RC2
nifi-1.8.0-RC3
nifi-1.9.0-RC2

rel/nifi-1.*

rel/nifi-1.10.0
rel/nifi-1.11.0
rel/nifi-1.12.0
rel/nifi-1.14.0
rel/nifi-1.15.0
rel/nifi-1.16.0
rel/nifi-1.17.0
rel/nifi-1.18.0
rel/nifi-1.19.0
rel/nifi-1.20.0
rel/nifi-1.21.0
rel/nifi-1.8.0
rel/nifi-1.9.0