Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-40037

Published: 18/08/2023 Updated: 23/08/2023
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Nifi

Vulnerability Summary

Apache NiFi 1.21.0 up to and including 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache nifi

Github Repositories

https://github.com/mbadanoiu/CVE-2023-40037

CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi

CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi Apache NiFi 1210 through 1230 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs An authenticated and authorized user can bypass connection URL validation using cu

https://github.com/mbadanoiu/CVE-2023-34212

CVE-2023-34212: Java Deserialization via JNDI Components in Apache NiFi

CVE-2023-34212: Java Deserialization via JNDI Components in Apache NiFi The JndiJmsConnectionFactoryProvider Controller Service along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 180 through 1210 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location Vendor Dis

https://github.com/mbadanoiu/CVE-2023-34468

CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi

CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 002 through 1210 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution Vendor Disclosure: The vendor's disclosure and fix for this vulnerabilit

References

CWE-697https://nifi.apache.org/security.html#CVE-2023-40037https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687qhttp://www.openwall.com/lists/oss-security/2023/08/18/2https://nvd.nist.govhttps://github.com/mbadanoiu/CVE-2023-40037
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
encryptionCVE-2024-4331CVE-2024-26925arbitrary codeCVE-2006-4304CVE-2024-25458CVE-2024-27077reflected XSSCVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook