⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2023-36542

CWE-94Code Injection6 documents6 sources
Severity
8.8HIGH
EPSS
1.0%
top 23.52%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache Software Foundation Apache NifiApache Nifi
Timeline
PublishedJul 29

Description

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages10 packages

Mavenorg.apache.nifi:nifi-jms-processors0.0.21.23.0
Mavenorg.apache.nifi:nifi-dbcp-service0.0.21.23.0

🔴Vulnerability Details

4
GHSA
Apache NiFi Code Injection vulnerability2023-07-29
OSV
Apache NiFi Code Injection vulnerability2023-07-29
CVEList
Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources2023-07-29
VulnCheck
Apache nifi Improper Control of Generation of Code ('Code Injection')2023

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2023-36542