CVE-2023-34468

Apache NiFi: Potential Code Injection with Database Services using H2

Description

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

References

Link	Tags
https://nifi.apache.org/security.html#CVE-2023-34468	release notes vendor advisory
https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8	vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/06/12/3	third party advisory mailing list
http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html	third party advisory vdb entry
https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-34468?: CVE-2023-34468 has been scored as a high severity vulnerability.
How to fix CVE-2023-34468?: To fix CVE-2023-34468, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-34468 being actively exploited in the wild?: It is possible that CVE-2023-34468 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~78% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-34468?: CVE-2023-34468 affects Apache Software Foundation Apache NiFi.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions