Apache NiFi vulnerable to Code Injection

2023-06-1218:30:18

CWE-94

GitHub Advisory Database

github.com

apache nifi

code injection

dbcpconnectionpool

hikaricpconnectionpool

authenticated user

authorized user

database url

h2 driver

custom code execution

upgrade

resolution

version 1.22.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.907 High

EPSS

Percentile

98.9%

JSON

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Affected configurations

Vulners

Node

org.apache.nifi\Matchnifi-dbcp-service-nar

org.apache.nifi\Matchnifi-hikari-dbcp-service

org.apache.nifi\Matchnifi-dbcp-service

CPENameOperatorVersion
org.apache.nifi:nifi-dbcp-service-narge0.0.2
org.apache.nifi:nifi-dbcp-service-narlt1.22.0
org.apache.nifi:nifi-hikari-dbcp-servicege0.0.2
org.apache.nifi:nifi-hikari-dbcp-servicelt1.22.0
org.apache.nifi:nifi-dbcp-basege0.0.2
org.apache.nifi:nifi-dbcp-baselt1.22.0

Name	Operator	Version
org.apache.nifi:nifi-dbcp-service-nar	ge	0.0.2
org.apache.nifi:nifi-dbcp-service-nar	lt	1.22.0
org.apache.nifi:nifi-hikari-dbcp-service	ge	0.0.2
org.apache.nifi:nifi-hikari-dbcp-service	lt	1.22.0
org.apache.nifi:nifi-dbcp-base	ge	0.0.2
org.apache.nifi:nifi-dbcp-base	lt	1.22.0