CVE-2023-34468

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

03 Oct 2023, 15:44

Type Values Removed Values Added
References (MISC) http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html - (MISC) http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html - Third Party Advisory, VDB Entry
References (MISC) https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ - (MISC) https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ - Third Party Advisory

28 Sep 2023, 22:15

Type Values Removed Values Added
References
  • (MISC) https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ -

30 Aug 2023, 17:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html -

21 Jun 2023, 02:20

Type Values Removed Values Added
First Time Apache nifi
Apache
CPE cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
References (MISC) https://nifi.apache.org/security.html#CVE-2023-34468 - (MISC) https://nifi.apache.org/security.html#CVE-2023-34468 - Release Notes, Vendor Advisory
References (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/3 - (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/3 - Mailing List, Third Party Advisory
References (MISC) https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 - (MISC) https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 - Mailing List, Vendor Advisory

12 Jun 2023, 21:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/06/12/3 -

12 Jun 2023, 16:20

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-12 16:15

Updated : 2024-10-08 21:35


NVD link : CVE-2023-34468

Mitre link : CVE-2023-34468

CVE.ORG link : CVE-2023-34468


JSON object : View

Products Affected

apache

  • nifi
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')