[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-34468: Apache NiFi: Potential Code Injection with Database Services using H2
From: David Handermann <exceptionfactory () apache ! org>
Date: 2023-06-12 14:28:25
Message-ID: a15c3bbf-8edf-e498-93cb-0bbdcab75708 () apache ! org
[Download RAW message or body]
Severity: important
Affected versions:
- Apache NiFi 0.0.2 through 1.21.0
Description:
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 \
through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the \
H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
This issue is being tracked as NIFI-11653
Credit:
Matei "Mal" Badanoiu (finder)
References:
https://nifi.apache.org/security.html#CVE-2023-34468
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34468
https://issues.apache.org/jira/browse/NIFI-11653
Timeline:
2023-06-06: reported
2023-06-06: confirmed
2023-06-06: resolved
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic