Lucene search
PRIOn knowledge basePRION:CVE-2023-34468HistoryJun 12, 2023 - 4:15 p.m.
Design/Logic Flaw
2023-06-1216:15:00
PRIOn knowledge base
www.prio-n.com
9
dbcpconnectionpool
hikaricpconnectionpool
apache nifi
custom code execution
database url
h2 driver
security vulnerability
upgrade
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
References
packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
www.openwall.com/lists/oss-security/2023/06/12/3
lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
nifi.apache.org/security.html
www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/
Related
nvd
nvd
CVE-2023-34468
2023-06-12 16:15:10
osv
osv
Apache NiFi vulnerable to Code Injection
2023-06-12 18:30:18
CVE-2023-34468
2023-06-12 16:15:10
cvelist
cvelist
veracode
veracode
Code Injection
2023-06-15 02:48:00
cve
cve
CVE-2023-34468
2023-06-12 16:15:10
github
github
Apache NiFi vulnerable to Code Injection
2023-06-12 18:30:18
zdt
zdt
Apache NiFi H2 Connection String Remote Code Execution Exploit
2023-08-30 00:00:00
packetstorm
packetstorm
Apache NiFi H2 Connection String Remote Code Execution
2023-08-30 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-09-01 16:30:00
thn
thn