CVE-2023-34468

CWE-94Code Injection5 documents5 sources
Severity
8.8HIGH
EPSS
77.2%
top 1.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache NifiApache Software Foundation Apache Nifi
Timeline
PublishedJun 12

Description

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

NVDapache/nifi0.0.21.22.0
Mavenorg.apache.nifi:nifi-dbcp-base0.0.21.22.0
CVEListV5apache_software_foundation/apache_nifi0.0.21.21.0

🔴Vulnerability Details

3
CVEList
Apache NiFi: Potential Code Injection with Database Services using H22023-06-12
OSV
Apache NiFi vulnerable to Code Injection2023-06-12
GHSA
Apache NiFi vulnerable to Code Injection2023-06-12

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2023-34468