Lucene search
ApacheCVELIST:CVE-2023-34468HistoryJun 12, 2023 - 3:09 p.m.
CVE-2023-34468 Apache NiFi: Potential Code Injection with Database Services using H2
2023-06-1215:09:20
CWE-94
apache
www.cve.org
1
apache nifi
code injection
database services
h2
dbcpconnectionpool
hikaricpconnectionpool
controller services
authentication
authorization
database url
h2 driver
custom code execution
version upgrade
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Apache NiFi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.21.0",
"status": "affected",
"version": "0.0.2",
"versionType": "semver"
}
]
}
]References
packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
www.openwall.com/lists/oss-security/2023/06/12/3
lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
nifi.apache.org/security.html#CVE-2023-34468
www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/
Related
nvd
nvd
CVE-2023-34468
2023-06-12 16:15:10
osv
osv
Apache NiFi vulnerable to Code Injection
2023-06-12 18:30:18
CVE-2023-34468
2023-06-12 16:15:10
veracode
veracode
Code Injection
2023-06-15 02:48:00
cve
cve
CVE-2023-34468
2023-06-12 16:15:10
prion
prion
Design/Logic Flaw
2023-06-12 16:15:00
packetstorm
packetstorm
Apache NiFi H2 Connection String Remote Code Execution
2023-08-30 00:00:00
github
github
Apache NiFi vulnerable to Code Injection
2023-06-12 18:30:18
zdt
zdt
Apache NiFi H2 Connection String Remote Code Execution Exploit
2023-08-30 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-09-01 16:30:00
thn
thn