Published: 12/06/2023 Updated: 03/10/2023

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 up to and including 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache nifi

CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi

CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 002 through 1210 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution Vendor Disclosure: The vendor's disclosure and fix for this vulnerabilit

CWE-94 https://nifi.apache.org/security.html#CVE-2023-34468 https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 http://www.openwall.com/lists/oss-security/2023/06/12/3 http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/https://nvd.nist.gov https://github.com/mbadanoiu/CVE-2023-34468

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-34468

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect