Lucene search

K

Veracode Vulnerability DatabaseVERACODE:40900

HistoryJun 15, 2023 - 2:48 a.m.

Code Injection

2023-06-1502:48:00

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

14

code injection

vulnerability

url validation

database services

h2 driver

software

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.89

Percentile

98.8%

nifi-hikari-dbcp-service and nifi-dbcp-base is vulnerable to Code Injection. The vulnerability exists due to improper URL validation for the database services, if an attacker has access to the database URL, an attacker can inject and execute malicious code by configuring an H2 driver.

References

packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

www.openwall.com/lists/oss-security/2023/06/12/3

github.com/advisories/GHSA-xm2m-2q6h-22jw

github.com/apache/nifi/commit/6a7a91f0fa827a2fa30b408d8bf7f7952d34559a

github.com/apache/nifi/pull/7349

issues.apache.org/jira/browse/NIFI-11653

lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

nifi.apache.org/security.html#CVE-2023-34468

www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

www.openwall.com/lists/oss-security/2023/06/12/3

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.89

Percentile

98.8%

Related for VERACODE:40900

cvelist1 osv2 nvd1 cve1 github1 zdt1 prion1 packetstorm1 metasploit1 rapid7blog1 thn1