CVE-2023-40037

Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs

Description

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

References

Link	Tags
https://nifi.apache.org/security.html#CVE-2023-40037	release notes vendor advisory
https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q	vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/08/18/2	third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2023-40037?: CVE-2023-40037 has been scored as a medium severity vulnerability.
How to fix CVE-2023-40037?: To fix CVE-2023-40037, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-40037 being actively exploited in the wild?: It is possible that CVE-2023-40037 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40037?: CVE-2023-40037 affects Apache Software Foundation Apache NiFi.

Description

Categories

CWE-184 – Incomplete List of Disallowed Inputs

CWE-697 – Incorrect Comparison

References

Frequently Asked Questions