'[oss-security] CVE-2023-40037: Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-40037: Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs
From:       David Handermann <exceptionfactory () apache ! org>
Date:       2023-08-18 20:50:18
Message-ID: 7c583366-9388-6d73-bafe-aba03be24df9 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache NiFi 1.21.0 through 1.23.0

Description:

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and \
Controller Services with connection URL validation that does not provide sufficient protection \
against crafted inputs. An authenticated and authorized user can bypass connection URL \
validation using custom input formatting. The resolution enhances connection URL validation and \
introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the \
recommended mitigation.

This issue is being tracked as NIFI-11920 

Credit:

Matei "Mal" Badanoiu (finder)

References:

https://nifi.apache.org/security.html#CVE-2023-40037
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40037
https://issues.apache.org/jira/browse/NIFI-11920

Timeline:

2023-08-06: reported

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic