GHSA-xm2m-2q6h-22jw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xm2m-2q6h-22jw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-xm2m-2q6h-22jw/GHSA-xm2m-2q6h-22jw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xm2m-2q6h-22jw
- Aliases
- Published
- 2023-06-12T18:30:18Z
- Modified
- 2024-04-12T16:46:00.604033Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Apache NiFi vulnerable to Code Injection
- Details
-
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
- Database specific
{ "nvd_published_at": "2023-06-12T16:15:10Z", "cwe_ids": [ "CWE-94" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-06-12T20:29:34Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-34468
- https://github.com/apache/nifi/pull/7349
- https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
- https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
- https://github.com/apache/nifi
- https://issues.apache.org/jira/browse/NIFI-11653
- https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
- https://nifi.apache.org/security.html#CVE-2023-34468
- https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
- http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2023/06/12/3
Affected packages
Maven / org.apache.nifi:nifi-dbcp-base
Package
- Name
- org.apache.nifi:nifi-dbcp-base
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.nifi/nifi-dbcp-base
Maven / org.apache.nifi:nifi-hikari-dbcp-service
Package
- Name
- org.apache.nifi:nifi-hikari-dbcp-service
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service
Maven / org.apache.nifi:nifi-dbcp-service-nar
Package
- Name
- org.apache.nifi:nifi-dbcp-service-nar
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.nifi/nifi-dbcp-service-nar
Affected versions
0.*
0.2.0-incubating
0.2.1
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
1.*
1.0.0-BETA
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0