Lucene search

Veracode Vulnerability DatabaseVERACODE:40899

HistoryJun 15, 2023 - 2:15 a.m.

Deserialization Of Untrusted Data

2023-06-1502:15:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

nifi

jms

vulnerability

deserialization

untrusted data

url validation

jndijmsconnectionfactoryprovider

jndijmsconnectionfactoryproperties

ldap jndi

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

52.9%

JSON

nifi-jms-processors is vulnerable to Deserialization of Untrusted Data. The vulnerability exists due to improper URL validation in JndiJmsConnectionFactoryProvider of JndiJmsConnectionFactoryProperties.java; if an attacker has access to the provider URL and library property configuration, they can deserialize untrusted data from a remote location using LDAP JNDI.

CPENameOperatorVersion
nifi-jms-processorsle1.21.0.2.4.4.0-13
nifi-jms-processorsle1.21.0.2.4.4.0-13

CPE	Name	Operator	Version
	nifi-jms-processors	le	1.21.0.2.4.4.0-13
	nifi-jms-processors	le	1.21.0.2.4.4.0-13

References

www.openwall.com/lists/oss-security/2023/06/12/2

github.com/advisories/GHSA-65wh-g8x8-gm2h

github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6

github.com/apache/nifi/pull/7313

issues.apache.org/jira/browse/NIFI-11614

lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5

nifi.apache.org/security.html#CVE-2023-34212

www.openwall.com/lists/oss-security/2023/06/12/2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

52.9%

JSON

Related for VERACODE:40899