CVE-2023-34468

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-34468

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34468.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-34468

Aliases

Published

2023-06-12T16:15:10.130Z

Modified

2026-03-11T15:14:44.028236Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34468.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0.0.2"
            },
            {
                "fixed": "1.22.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0.0.2"
            },
            {
                "last_affected": "1.21.0"
            }
        ]
    }
]