1. Home
  2. Vulnerabilities
  3. CVE-2023-34212

CVE-2023-34212

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.16 % (53th)
0.16% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
Apache Software Foundation
Published Date
2023-06-12 16:15:10
(15 months ago)
Updated Date
2023-06-21 15:18:21
(15 months ago)

Affected Products

Apache

Configuration #1

    CPE23 From Up To
  Apache Nifi from 1.8.0 version and 1.21.0 and prior versions cpe:2.3:a:apache:nifi >= 1.8.0 <= 1.21.0