Lucene search

[email protected]CVE-2023-34468

HistoryJun 12, 2023 - 4:15 p.m.

CVE-2023-34468

2023-06-1216:15:10

CWE-94

[email protected]

web.nvd.nist.gov

apache

nifi

cve-2023-34468

security

vulnerability

update

dbcpconnectionpool

hikaricpconnectionpool

h2 driver

code execution

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.907 High

EPSS

Percentile

98.9%

JSON

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Affected configurations

Vulners

NVD

Node

apachenifiRange≤1.21.0

CPENameOperatorVersion
apache:nifiapache nifilt1.22.0

CPE	Name	Operator	Version
apache:nifi	apache nifi	lt	1.22.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache NiFi",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.21.0",
        "status": "affected",
        "version": "0.0.2",
        "versionType": "semver"
      }
    ]
  }
]