Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jul/43 | Not Applicable |
http://www.openwall.com/lists/oss-security/2023/07/29/1 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof | Issue Tracking Mailing List Vendor Advisory |
https://nifi.apache.org/security.html#CVE-2023-36542 | Vendor Advisory |
Configurations
History
03 Aug 2023, 19:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Apache nifi
Apache |
|
References | (MISC) http://seclists.org/fulldisclosure/2023/Jul/43 - Not Applicable | |
References | (MISC) https://nifi.apache.org/security.html#CVE-2023-36542 - Vendor Advisory | |
References | (MISC) https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof - Issue Tracking, Mailing List, Vendor Advisory | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/07/29/1 - Mailing List, Third Party Advisory |
30 Jul 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Jul 2023, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Jul 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-29 08:15
Updated : 2024-10-03 14:35
NVD link : CVE-2023-36542
Mitre link : CVE-2023-36542
CVE.ORG link : CVE-2023-36542
JSON object : View
Products Affected
apache
- nifi
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')