CVE-2023-34212

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

21 Jun 2023, 15:18

Type Values Removed Values Added
References (MISC) https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 - Mailing List, Third Party Advisory (MISC) https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 - Mailing List, Vendor Advisory

21 Jun 2023, 02:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/2 - (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/2 - Mailing List, Third Party Advisory
References (MISC) https://nifi.apache.org/security.html#CVE-2023-34212 - (MISC) https://nifi.apache.org/security.html#CVE-2023-34212 - Release Notes, Vendor Advisory
References (MISC) https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 - (MISC) https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
First Time Apache nifi
Apache

12 Jun 2023, 21:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/2 -

12 Jun 2023, 16:20

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-12 16:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-34212

Mitre link : CVE-2023-34212

CVE.ORG link : CVE-2023-34212


JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-502

Deserialization of Untrusted Data