'[oss-security] CVE-2023-34468: Apache NiFi: Potential Code Injection with Database Services using H2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-34468: Apache NiFi: Potential Code Injection with Database Services using H2
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2023-06-12 14:28:25
Message-ID: a15c3bbf-8edf-e498-93cb-0bbdcab75708 () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache NiFi 0.0.2 through 1.21.0

Description:

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 \
through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the \
H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

This issue is being tracked as NIFI-11653 

Credit:

Matei "Mal" Badanoiu (finder)

References:

https://nifi.apache.org/security.html#CVE-2023-34468
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34468
https://issues.apache.org/jira/browse/NIFI-11653

Timeline:

2023-06-06: reported
2023-06-06: confirmed
2023-06-06: resolved

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic