CVE-2022-33140 — OS Command Injection in Software Foundation Apache Nifi

CWE-78 — OS Command Injection CWE-74 — Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

3.9%

top 11.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Nifi Apache Software Foundation Apache Nifi Registry Apache Nifi +1 more

Timeline

PublishedJun 15

Latest updateJun 16

Description

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5apache_software_foundation/apache_nifi_registry0.6.0 — 0.6.0*+1

▶NVDapache/nifi_registry0.6.0 — 1.16.2

▶CVEListV5apache_software_foundation/apache_nifi1.10.0 — 1.10.0*+1

▶NVDapache/nifi1.10.0 — 1.16.2

🔴Vulnerability Details

GHSA

Code injection in Apache NiFi and NiFi Registry↗2022-06-16

▶

OSV

Code injection in Apache NiFi and NiFi Registry↗2022-06-16

▶

CVEList

Improper Neutralization of Command Elements in Shell User Group Provider↗2022-06-15

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2022-33140↗

▶