The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
http://www.openwall.com/lists/oss-security/2023/06/12/3 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 | Mailing List Vendor Advisory |
https://nifi.apache.org/security.html#CVE-2023-34468 | Release Notes Vendor Advisory |
https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ | Third Party Advisory |
Configurations
History
03 Oct 2023, 15:44
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html - Third Party Advisory, VDB Entry | |
References | (MISC) https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ - Third Party Advisory |
28 Sep 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Aug 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Jun 2023, 02:20
Type | Values Removed | Values Added |
---|---|---|
First Time |
Apache nifi
Apache |
|
CPE | cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | (MISC) https://nifi.apache.org/security.html#CVE-2023-34468 - Release Notes, Vendor Advisory | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/3 - Mailing List, Third Party Advisory | |
References | (MISC) https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 - Mailing List, Vendor Advisory |
12 Jun 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jun 2023, 16:20
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-12 16:15
Updated : 2024-10-08 21:35
NVD link : CVE-2023-34468
Mitre link : CVE-2023-34468
CVE.ORG link : CVE-2023-34468
JSON object : View
Products Affected
apache
- nifi
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')